Splunk Search

Response Time search with a additional calculation

denisevw
Path Finder

Hi there Splunkers

I need some assistance with a search. We are calculating the response time between transactions by taking the last event and deducting if from the first event. That all works perfectly in this search:

index="my_index* host="the_host*" sourcetype=my_sourcetype Message_Type="123" OR Message_Type="456" | rex field=_raw "\d+:\d+:\d+\.(?<MilliSeconds>\d+)" | eval calctime=(_time*1000) | eval newtime=calctime+MilliSeconds  | stats  latest(newtime) as end earliest(newtime) as begin by UUID | eval responsetime=end-begin | eval Response_Time=round(responsetime/1000,3) | stats max(Response_Time) as Response_Time  | chart first(Response_Time) as RT_Max

The challenge is to create a second scenario where, if the time exceeds 45.001 seconds (say, 54.269 or 67.598 seconds), then it should return a value of 45.000 seconds where the value still need to be calculable in the search....

I tried to use the "eval if" command but it gives and error
eval if(newtime=<"45.001", "45.000", newtime)

Any assistance will be appreciated, thanks.

Tags (2)
0 Karma
1 Solution

Ayn
Legend

You shouldn't be using a dot in your values there, this makes for an invalid integer. Use

... | eval newtime=if(newtime>=45001,45000,newtime)

View solution in original post

denisevw
Path Finder

A strange thing is happening here...

When I run the search, time picked for previous week, it shows different results in Verbose Mode and Fast Mode\Smart Mode.
In Verbose Mode is accurate but, in Fast Mode\Smart Mode, it is totally wrong!
When I add the search to the Dashboard (Inline or Report), it obviously saves it in the Fast Mode\Smart Mode.

What is the reason for this and how can I add "Verbose Mode" to the Inline search in the Dashboard?

0 Karma

Ayn
Legend

You shouldn't be using a dot in your values there, this makes for an invalid integer. Use

... | eval newtime=if(newtime>=45001,45000,newtime)

richgalloway
SplunkTrust
SplunkTrust

Please accept the answer.

---
If this reply helps you, Karma would be appreciated.
0 Karma

denisevw
Path Finder

Thanks for the instant feedback.

I've added your recommendation and it worked with
eval Response_Time=if(restime>45,"45.000",restime)
just needed to rearrange some naming and it worked perfect.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

If you want limit the maximum value of Response_Time, try

eval Response_Time=if(Response_Time>45,45,Response_Time)

If you want to create a new variable, try

eval newtime=if(Response_Time>45,45,Response_Time)
---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...