Splunk Search

How to group multiple methods responsetime into intervals and obtain count?

Splunk_321
Path Finder

Hi All,

I have a requirement where I need to group count of methods responsetime into different time intervals.

Below is what I tried 

basesearch 
| eval ResponseTime=if(uri=="/api/auth",null(),responsetime*1000) 
| rex field=gwrequesturi "(?<prefix>\S+)/locations/(?<method>\w+[^/?])" 
| table ResponseTime method

This is resulted in below output

ResponseTimeMethod
330A
1627B
1025B
3126A
2034B
.........................................

I have two possibilities for method (Say for ex: A and B)

I want to get results something like below (Responsetime and count of each method falling in that interval)

ResponseTimeAB
<=100048
>1000 and <=30001125
>3000 and <=50003523
>500024

 

Can someone help me with the query! 

Thanks in advance!

Labels (2)
0 Karma
1 Solution

VatsalJagani
SplunkTrust
SplunkTrust

@Splunk_321 - try below search:

basesearch 
| eval ResponseTime=if(uri=="/api/auth",null(),responsetime*1000) 
| rex field=gwrequesturi "(?<prefix>\S+)/locations/(?<method>\w+[^/?])" 
| table ResponseTime method

| eval category=case(ResponseTime<=1000,"<=1000", ResponseTime<=3000,">1000 and <=3000", ResponseTime<=5000,">3000 and <=5000", ResponseTime>5000,">5000")
| chart count over category by Method

 

 I hope this helps!!! Kindly upvote if it does!!!

View solution in original post

VatsalJagani
SplunkTrust
SplunkTrust

@Splunk_321 - try below search:

basesearch 
| eval ResponseTime=if(uri=="/api/auth",null(),responsetime*1000) 
| rex field=gwrequesturi "(?<prefix>\S+)/locations/(?<method>\w+[^/?])" 
| table ResponseTime method

| eval category=case(ResponseTime<=1000,"<=1000", ResponseTime<=3000,">1000 and <=3000", ResponseTime<=5000,">3000 and <=5000", ResponseTime>5000,">5000")
| chart count over category by Method

 

 I hope this helps!!! Kindly upvote if it does!!!

Splunk_321
Path Finder

This helps. Thank you for the solution!

0 Karma
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...