Solved: How to create a table on windowed count of api res...

anonym3421 · ‎03-23-2022

I have some api response logs separated by pipe. However there is already field extraction on api response time. the field value is something like "100 ms". I want to create a table on windowed count of api response time.

The final table I want to create is some thing like

responseTime count

5 ms. {count where responseTime <= 5ms}

10 ms {count where responseTime <= 10ms but >5ms}

I can create a simple count table by " base search | stats count by responseTime" which results like

responseTime count

1 ms 100

2 ms 30

How can I create this windowed stats?

ITWhisperer · ‎03-23-2022

Assuming responseTime is already measured in milliseconds:

base search 
| bin responseTime span=5s
| stats count by responseTime

The s is important otherwise you get a range of values.

View solution in original post

ITWhisperer · ‎03-23-2022

Assuming responseTime is already measured in milliseconds:

base search 
| bin responseTime span=5s
| stats count by responseTime

The s is important otherwise you get a range of values.

How to create a table on windowed count of api response time?

stats

table

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms