Solved: Group results by range values

tyronetv · ‎01-22-2013

I'm sure there is probably an answer this in the splunk base but I am having issues with what I want to call what I am attempting to do so therefore searching on it is somewhat difficult. 🙂

Essentially I want to pull all the duration values for a process that executes multiple times a day and group it based upon performance falling withing multiple windows. I.e. "Fastest" would be duration < 5 seconds. "Fast" would be duration 5 seconds or more but less than, say, 20. "Slow" would be anything 20 seconds or longer but less than, say, a minute, or 60 seconds, and "Painful" would be anything 60 seconds or longer.

Ideas?

jonuwz · ‎01-22-2013

Something like this (assuming the field your interested in is called 'dur') :

<your search here> 
| eval speed=case(dur<5,"Fastest",dur<20,"Fast",dur<60,"Slow",1=1,"Painful)
| stats count by speed

The case statement exits on the 1st match, so the last statement :

1=1,"Painful"

acts as a default

View solution in original post

moisesroth · ‎05-28-2018

Another solution is to group by range, e.g:
search | chart count by duration span=5

the_wolverine · ‎01-22-2013

search | rangemap field=duration Slowest=0-5 Slow=5-27 Fast=27-500 Fastest=500-10000

martin_mueller · ‎01-22-2013

I believe it's the other way round, low durations are fastest

martin_mueller · ‎01-22-2013

Rangemap? 🙂

jonuwz · ‎01-22-2013

Something like this (assuming the field your interested in is called 'dur') :

<your search here> 
| eval speed=case(dur<5,"Fastest",dur<20,"Fast",dur<60,"Slow",1=1,"Painful)
| stats count by speed

The case statement exits on the 1st match, so the last statement :

1=1,"Painful"

acts as a default

Group results by range values

Developer Spotlight with Brett Adams

Index This | What can you do to make 55,555 equal 500?

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...