Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Display in range data based on application time ta...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Display in range data based on application time taken
Hi Splunkers,
I am looking to display the data
Product 1
Seconds Cumulative response % running average Volume of transactions
<4.5 seconds
<5.5 seconds
<7.5 seconds
<25 seconds
>=30 seconds 100
Based on the below post i actually wrote the same thing and it works till 10 sec but not the same way as listed
https://community.splunk.com/t5/Splunk-Search/Grouping-by-numeric-range/m-p/27498
My query looks like
.....Search Query..... | eval frontEndLatency=frontEndLatency/1000 | sort 0 frontEndLatency | eventstats count as total | eval in_range=round(case(frontEndLatency<30, floor(2*frontEndLatency)/2+.5, frontEndLatency<10, ceil(frontEndLatency), frontEndLatency>=30,30.0),1)
| streamstats count as cnt avg(frontEndLatency) as run_avg
| stats first(total) as total last(run_avg) as run_avg max(cnt) as count count as cnt by in_range,product
| sort 0 in_range | eval range=if(frontEndLatency>=30, ">= 30.0 sec","< "+tostring(in_range)+" sec")
| eval pct=round(count/total*100,1)
| eval run_avg=round(run_avg,1)
| rename cnt as "Volume of Transactions" pct as "**bleep**. response %" run_avg as "Running Avg" | dedup range
| table range "**bleep**. response %" "Running Avg" "Volume of Transactions" | where range ="< 4.5 sec" OR range ="< 5.5 sec" OR range ="< 7.5 sec" OR range ="< 25.0 sec" OR range="< 30.0 sec"
It gives me the output as
range **bleep**. response % Running Avg Volume of Transactions
< 4.5 sec 4.7 1.3 2
< 5.5 sec 7.3 1.7 10
< 7.5 sec 26.5 2.8 21
But it does not gives the same table and thus i tried changing
floor(4*frontEndLatency)/2+.5
or floor(8*frontEndLatency)/2+.5 and it gives me the table but wrong figures.
Kindly advise as I am unable to understand what exactly is happening here? Also I tried rangemap but its not working.
Thanks,
Amit
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
rangemap should work:
...
| sort 0 _time
| rangemap field=frontEndLatency "1. <4.5 seconds"=0-4.4 "2. <5.5 seconds"=4.5-5.5 "3. <7.5 seconds"=5.6-7.4 "4. <25 seconds"=7.5-24.9 default="5. >=30 seconds"
| streamstats avg(frontEndLatency) as avg_frontEndLatency by range
| stats last(avg_frontEndLatency) as avg_frontEndLatency count by range
| accum count as subtotal
| eventstats sum(count) as total
| eval percent=100*subtotal/total
| table range percent avg_frontEndLatency count
| rename range as "Product 1 Seconds", percent as "Cumulative repsonse %", avg_frontEndLatency as "Running Avg", count as "Volume of transactions"
I'm unsure of your intent with respect to running averages, but I've included an example split by range that assumes ascending _time order is the correct sequence.
I've add "1.," "2.," "3.," ... prefixes to the range names, so they'll sort correctly after stats.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
