Splunk Search
Highlighted

How to group my search results with respect to response time ranges?

New Member

here is the situation:
I have two fields
1. Response time that needs grouping like this (Low=0-1.2, Medium=1.2-1.5, High=1.5-1.8 default=Critcal)
2. CodeName that corresponds to the response time

i want to see top 5 codenames trending graph with bucketing as mentioned above for a span of 15min.

I tried this
my search| rangemap field=ResponseTime Low=0-1.2, Meduim=1.2-1.5, High=1.5-1.8 default=Critcal | timechart count span=15 min by range

0 Karma
Highlighted

Re: How to group my search results with respect to response time ranges?

SplunkTrust
SplunkTrust

What's the output of your current search and what's the output should be?

0 Karma
Highlighted

Re: How to group my search results with respect to response time ranges?

Builder

I don't think rangemap likes decimals. Maybe the answer posted here using |eval case will be a suitable substitute.

https://answers.splunk.com/answers/5659/rangemap-does-not-work-with-decimals.html

Highlighted

Re: How to group my search results with respect to response time ranges?

Contributor

Yes you have to go with eval case in this scenario,

my search
| eval Range=case(
ResponseTime>0 AND ResponseTime<1.2, "Low", 
ResponseTime>1.2 AND ResponseTime<1.5, "Medium", 
ResponseTime>1.5 AND ResponseTime<1.8, "High", 
1==1 "Critical")
| timechart span=15 range by CodeName
0 Karma