Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to split the call based on TimeTaken

marinewcreater
Explorer
‎10-26-2021 04:01 PM

I would like to create a Pie chart to show how many calls took less than 100ms, 200ms, and 300ms. 

index=star env=prod |search time > 100 | stats count by time

 

How can I append > 200 and >300 in the same query? 

Labels (3)
Labels
0 Karma
Reply

acharlieh
Influencer
‎10-26-2021 10:21 PM

In addition to the `count(eval())` options with stats as have already been suggested, another option would be to create a field that classifies your events by the durations you're interested in... then stats count by that new field... 

If you have the specific ranges that you're interested in...you could use eval to construct a classifier, and then stats count by that classifier.

<base search> 
| eval classifier=case(time<100, "<100", time<200, "<200", time<300, "<300", true(), ">=300" )
| stats count by classifier

Since you have a numeric field, you could use bin to make those classifiers instead:

<base search> 
| bin time as classifier span=100 
| stats count by classifier

And of course there are many other methods of creating a classifier field (single or multi-valued), but the downside to doing a simple by clause is of course is that if you don't have a particular expected range/classifier in your data, you simply won't have that particular range in your output, which depending on your use case may be alright, or may be a problem.

0 Karma
Reply

venkatasri
SplunkTrust
SplunkTrust
‎10-26-2021 04:50 PM

@marinewcreater 

You could try stats with eval something like this , grouping them by time does not create a great pie chart you could still try it depends on number of data points, use | bin to bucket them before using by time.

 

index=star env=prod | searchTime > 100 | stats count(eval(searchTime>100)) as gt_100, count(eval(searchTime>200 AND searchTime<300)) as gt_200, count(eval(searchTime>300)) as gt_300

 

 

Reply

nmohammed
Builder
‎10-26-2021 04:47 PM 
index=star env=prod | 
chart count(eval(time <100)) AS "<100ms", count(eval(time >100 AND time <200)) AS "<200ms", count(eval(time >200 AND time <300)) AS "<300ms" 
| stats count by time

 

try that query and select pie chart under visualizations.

Reply

marinewcreater
Explorer
‎10-26-2021 07:46 PM

Error in stats command: eval is invalid

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...