Solved: Eval for Performance based on Category and if belo...

ebs · ‎06-28-2021

Hi,

I want to look at each response_time value for each Tier, and count the amount of response times that are above and below the MaxResponseTime that corresponds to each separate Tier. I have 5 Tiers (categories) with all different MaxResponseTime values.

Here's the search so far:

venkatasri · ‎06-29-2021

@ebs can you try this?

| datamodel metric summariesonly=true search
| search "metric.date"=2021-06-28
| rename "metric.date" as date
| rename "metric.Tier" as Tier
| rename "metric.response_time" as response_time
| stats values(response_time) as resp_time, max(maxResponseTime) as max_resp by Tier 
| mvexpand resp_time
| stats count(eval(resp_time > max_resp)) as gt, count(eval(resp_time < max_resp)) as lt, list(resp_time), count(resp_time) as total_resp_count by Tier 
| eval below_perc=(lt/total_resp_count) * 100

---

An upvote would be appreciated and Accept solution if it helps!

View solution in original post

venkatasri · ‎06-28-2021

@ebs can you explain with sample events i guess i did not quite get it.

ebs · ‎06-29-2021

Sure,

Tier 1 (MaxResponseTime): 1500

Tier 1 (response_time): 1483, 1682, 1000, 887, 1936

Tier 1 (Count Below): 3

Tier 1 (Count Above): 2

Tier 1 (Performance) 3/5

Tier 2 (MaxResponseTime): 3000

Tier 2 (response_time): 3278, 4529, 5763, 2800, 1600

Tier 2 (Count Below): 2

Tier 2 (Count Above): 3

Tier 2 (Performance): 2/5

venkatasri · ‎06-29-2021

@ebs can you try this?

| datamodel metric summariesonly=true search
| search "metric.date"=2021-06-28
| rename "metric.date" as date
| rename "metric.Tier" as Tier
| rename "metric.response_time" as response_time
| stats values(response_time) as resp_time, max(maxResponseTime) as max_resp by Tier 
| mvexpand resp_time
| stats count(eval(resp_time > max_resp)) as gt, count(eval(resp_time < max_resp)) as lt, list(resp_time), count(resp_time) as total_resp_count by Tier 
| eval below_perc=(lt/total_resp_count) * 100

---

An upvote would be appreciated and Accept solution if it helps!

ebs · ‎06-29-2021

Amazing, thanks so much!

venkatasri · ‎06-28-2021

Hi @ebs

Since you are already doing stats by Tier you will find values something like this single event.

response_time, Tier

4 Tier1

2

3

1

Your maxResponseTime = 4, there are no respTimes above max as 4 itself max for that Tier, below maxRespTime are always total count (4) - 1 = 3. Is that what you want to acheive?

--

An upvote would be appreciated if it helps!

ebs · ‎06-28-2021

So basically, say I have a MaxResponseTime of 1500 for Tier1. I want to count all the response_time's for Tier1 that are under 1500 and all the ones over Tier1. Tier2's MaxResponseTime is 3000, I would want to count all the ones for this both under and over the MaxResponseTime as well. I also then ant to do a percentage of the amount of response time's that fell under the threshold per tier.

Eval for Performance based on Category and if below MaxResponseTime

count

eval

fields

stats

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

What’s New in Splunk Observability – September 2025

Fun with Regular Expression - multiples of nine

Are you a member of the Splunk Community?