Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to split the call based on TimeTaken

marinewcreater
Explorer
‎10-26-2021 04:01 PM

I would like to create a Pie chart to show how many calls took less than 100ms, 200ms, and 300ms. 

index=star env=prod |search time > 100 | stats count by time

 

How can I append > 200 and >300 in the same query? 

Labels (3)
Labels
0 Karma
Reply

acharlieh
Influencer
‎10-26-2021 10:21 PM

In addition to the `count(eval())` options with stats as have already been suggested, another option would be to create a field that classifies your events by the durations you're interested in... then stats count by that new field... 

If you have the specific ranges that you're interested in...you could use eval to construct a classifier, and then stats count by that classifier.

<base search> 
| eval classifier=case(time<100, "<100", time<200, "<200", time<300, "<300", true(), ">=300" )
| stats count by classifier

Since you have a numeric field, you could use bin to make those classifiers instead:

<base search> 
| bin time as classifier span=100 
| stats count by classifier

And of course there are many other methods of creating a classifier field (single or multi-valued), but the downside to doing a simple by clause is of course is that if you don't have a particular expected range/classifier in your data, you simply won't have that particular range in your output, which depending on your use case may be alright, or may be a problem.

0 Karma
Reply

venkatasri
SplunkTrust
SplunkTrust
‎10-26-2021 04:50 PM

@marinewcreater 

You could try stats with eval something like this , grouping them by time does not create a great pie chart you could still try it depends on number of data points, use | bin to bucket them before using by time.

 

index=star env=prod | searchTime > 100 | stats count(eval(searchTime>100)) as gt_100, count(eval(searchTime>200 AND searchTime<300)) as gt_200, count(eval(searchTime>300)) as gt_300

 

 

Reply

nmohammed
Contributor
‎10-26-2021 04:47 PM 
index=star env=prod | 
chart count(eval(time <100)) AS "<100ms", count(eval(time >100 AND time <200)) AS "<200ms", count(eval(time >200 AND time <300)) AS "<300ms" 
| stats count by time

 

try that query and select pie chart under visualizations.

Reply

marinewcreater
Explorer
‎10-26-2021 07:46 PM

Error in stats command: eval is invalid

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...