Why is my case command with less than or equal to ...

lrnr01 · ‎03-29-2022

Hi All,

I have the below line of code to categorize transactions based on the response time (duration) taken in seconds.

| eval ranges=case(Duration<=1,"less",Duration>1 and Duration<=3,"between",Duration>3,"greater")

Say i trigger a load test with 100 transactions which are all taking between 1 to 3 Secs but surprisingly few txns say 1 to 4 txns out of 100 are NOT getting categorized in the table though their duration column has a value between 1 to 3 Secs. Can someone please let me know what is going wrong.

PickleRick · ‎03-29-2022

Check if you're not having those values as strings. If so, you have to cast them to numbers by using tonumber().

lrnr01 · ‎03-29-2022

@PickleRick , Thank you very much, that gave me a clue and i tried the below line (WORKED) and it worked.

| eval ranges=case(Duration<="1", "less", Duration>"1" AND Duration<="3", "between", Duration>"3", "greater")

INSTEAD OF (NOT WORKING)

| eval ranges=case(Duration<=1,"less",Duration>1 and Duration<=3,"between",Duration>3,"greater")

Why is my case command with less than or equal to operator not categorizing correctly?

using Splunk Enterprise

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...