Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to use Eval greater than, less than for a duration and Count the values

amunag439
Explorer
‎07-09-2019 10:55 AM

I'm calculating the time difference between two events by using Transaction and Duration. Below is the query that I used to get the duration between two events Model and Response

host=* sourcetype=** source="*/example.log" "Model*" OR "Response*"
 | transaction traceId startswith="Model" endswith="Response" 
 | table traceId duration _time

I want to get counts of transactions where duration>1, duration<1 and the total count in the same table. I was able to do it individually in separate queries using where clause and eval. But was not successful when I combined them. The individual query that works for me is 

"Model List*" OR "Response Code*"
| transaction traceId startswith="Model List" endswith="Response Code" | eval less_dur=duration | where less_dur > 1
| stats count(less_dur)

Query that doesnt work me is 

"Model List*" OR "Response Code*"
| transaction traceId startswith="Model List" endswith="Response Code" | eval less_dur=duration | where less_dur > 1 | eval more_dur=duration | where more_dur < 1
| stats count(less_dur), count(more_dur), count
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

tiagofbmm
Influencer
‎07-09-2019 11:55 AM

I think there is a logical loop here. You're looking for duration>1 and then duration <1 and want to have the number of each of those.

How about

 "Model List*" OR "Response Code*"
 | transaction traceId startswith="Model List" endswith="Response Code" | eval less_dur=if(duration>1,1,0), moe_dur=if(duration<1,1,0)  | stats sum(less_dur), sum(more_dur), count

View solution in original post

Reply
Solved! Jump to solution
Solution

tiagofbmm
Influencer
‎07-09-2019 11:55 AM

I think there is a logical loop here. You're looking for duration>1 and then duration <1 and want to have the number of each of those.

How about

 "Model List*" OR "Response Code*"
 | transaction traceId startswith="Model List" endswith="Response Code" | eval less_dur=if(duration>1,1,0), moe_dur=if(duration<1,1,0)  | stats sum(less_dur), sum(more_dur), count
Reply
Solved! Jump to solution

amunag439
Explorer
‎07-09-2019 12:17 PM

@tiagofbmm This is exactly what I was looking for. Thank you

0 Karma
Reply
Solved! Jump to solution

cmerriman
Super Champion
‎07-09-2019 11:38 AM

So the reason that wouldn't work is because you're calculating less_dur and then filtering when it's less than 1. THEN you create more_dur, but the duration is already always less than 1. you would need to do both evals before the where statements.

0 Karma
Reply
Solved! Jump to solution

amunag439
Explorer
‎07-09-2019 11:44 AM

@cmerriman My eval is based on the duration values here. So how do I achieve it?

0 Karma
Reply
Solved! Jump to solution

amunag439
Explorer
‎07-09-2019 12:16 PM

Thanks for the reply @cmerriman

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...