Splunk Search

How to use eval and case results with bucket span to list categories with different time buckets?

Contributor

I am trying to get calls classified into different categories based on their response times:

sourcetype=abc |eval calls = case(time <300, "A",  time >300 AND time<600, "B", time >600 AND  time <1000, "C",  time >1000 AND  time <3000, "D",  time >3000, "E")   

How do I get it listed as different categories with different time buckets, 5m as an example?
I want to see results as :

time A B C D E
9:00 1 2 2 1 0
9:05 2 1 4 5 1
9:10 2 1 3 1 9

9:15 6 1 3 2 1

Tags (4)
0 Karma

SplunkTrust
SplunkTrust

You can do like this as well

 sourcetype=abc |eval calls = case(time <300, "A", time<600, "B", time <1000, "C", time <3000, "D", time >3000, "E", 1=1, "unknown") | timechart span=5m count by calls  
0 Karma

Champion

hmm, can't you do this with the with eval in the stats command, instead of using a case?

... | bin span=5m _time | stats count(eval(time<300)) as A count(eval(time>=300 AND time < 600)) as B count(eval(time>=600 AND time < 1000)) as C  count(eval(time>=1000 AND time < 3000)) as D  count(eval(time>=3000)) as E  by _time
0 Karma

Champion

On an unrelated note, some nitpicking: your case as it is slightly flawed. For one thing, if you have an event where time is 300, it will have null in the field calls - none of your cases apply to time = 300. Furthermore, the first comparison each after the first case is unneccessary. If you have passed the first case, then time is definitely greater than 300, so you can just go ahead and check whether it is still less than 600. After that, it is definitely greater than 600, and so on. Your case could thus be improved to this:

... case(time <300, "A", time<600, "B", time <1000, "C", time <3000, "D", time >3000, "E", 1=1, "unknown")

This will make sure an event with time = 300 will get calls with a value "B", and it saves some calculations. This also handles the case that time is not a number (don't know if that can happen in your case, but it's always a good idea to have a default value).

0 Karma

Contributor

id did once something like

sourcetype=abc | eval calls_A = if(time < 300, 1,0) 
                              | eval calls_B = if(time > 300 AND time < 600, 1,0)
                              | eval calls_C = if(time > 600 AND time < 1000, 1,0)
                              | eval calls_D = if(time > 1000 AND time < 3000, 1,0)
                              | eval calls_E = if(time > 3000, 1,0) 
| timechart count(calls_A)  count(calls_B)  count(calls_D)  count(calls_E) 
0 Karma

Splunk Employee
Splunk Employee

You search would be based on the above plus something along the lines of the below...

.. | bin span=5m _time | stats count by calls _time

Similar..

.. | timechart span=5m  values(calls) by calls
0 Karma