Splunk Search

How to use Eval greater than, less than for a duration and Count the values

amunag439
Explorer

I'm calculating the time difference between two events by using Transaction and Duration. Below is the query that I used to get the duration between two events Model and Response

host=* sourcetype=** source="*/example.log" "Model*" OR "Response*"
 | transaction traceId startswith="Model" endswith="Response" 
 | table traceId duration _time

I want to get counts of transactions where duration>1, duration<1 and the total count in the same table. I was able to do it individually in separate queries using where clause and eval. But was not successful when I combined them. The individual query that works for me is

"Model List*" OR "Response Code*"
| transaction traceId startswith="Model List" endswith="Response Code" | eval less_dur=duration | where less_dur > 1
| stats count(less_dur)

Query that doesnt work me is

"Model List*" OR "Response Code*"
| transaction traceId startswith="Model List" endswith="Response Code" | eval less_dur=duration | where less_dur > 1 | eval more_dur=duration | where more_dur < 1
| stats count(less_dur), count(more_dur), count
0 Karma
1 Solution

tiagofbmm
Influencer

I think there is a logical loop here. You're looking for duration>1 and then duration <1 and want to have the number of each of those.

How about

 "Model List*" OR "Response Code*"
 | transaction traceId startswith="Model List" endswith="Response Code" | eval less_dur=if(duration>1,1,0), moe_dur=if(duration<1,1,0)  | stats sum(less_dur), sum(more_dur), count

View solution in original post

tiagofbmm
Influencer

I think there is a logical loop here. You're looking for duration>1 and then duration <1 and want to have the number of each of those.

How about

 "Model List*" OR "Response Code*"
 | transaction traceId startswith="Model List" endswith="Response Code" | eval less_dur=if(duration>1,1,0), moe_dur=if(duration<1,1,0)  | stats sum(less_dur), sum(more_dur), count

amunag439
Explorer

@tiagofbmm This is exactly what I was looking for. Thank you

0 Karma

cmerriman
Super Champion

So the reason that wouldn't work is because you're calculating less_dur and then filtering when it's less than 1. THEN you create more_dur, but the duration is already always less than 1. you would need to do both evals before the where statements.

0 Karma

amunag439
Explorer

@cmerriman My eval is based on the duration values here. So how do I achieve it?

0 Karma

amunag439
Explorer

Thanks for the reply @cmerriman

0 Karma
Get Updates on the Splunk Community!

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Deprecation of Splunk Observability Kubernetes “Classic Navigator” UI starting ...

Access to Splunk Observability Kubernetes “Classic Navigator” UI will no longer be available starting January ...

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...