Hi there Splunkers
I need some assistance with a search. We are calculating the response time between transactions by taking the last event and deducting if from the first event. That all works perfectly in this search:
index="my_index* host="the_host*" sourcetype=my_sourcetype Message_Type="123" OR Message_Type="456" | rex field=_raw "\d+:\d+:\d+\.(?<MilliSeconds>\d+)" | eval calctime=(_time*1000) | eval newtime=calctime+MilliSeconds | stats latest(newtime) as end earliest(newtime) as begin by UUID | eval responsetime=end-begin | eval Response_Time=round(responsetime/1000,3) | stats max(Response_Time) as Response_Time | chart first(Response_Time) as RT_Max
The challenge is to create a second scenario where, if the time exceeds 45.001 seconds (say, 54.269 or 67.598 seconds), then it should return a value of 45.000 seconds where the value still need to be calculable in the search....
I tried to use the "eval if" command but it gives and error
eval if(newtime=<"45.001", "45.000", newtime)
Any assistance will be appreciated, thanks.
A strange thing is happening here...
When I run the search, time picked for previous week, it shows different results in Verbose Mode and Fast Mode\Smart Mode.
In Verbose Mode is accurate but, in Fast Mode\Smart Mode, it is totally wrong!
When I add the search to the Dashboard (Inline or Report), it obviously saves it in the Fast Mode\Smart Mode.
What is the reason for this and how can I add "Verbose Mode" to the Inline search in the Dashboard?
Thanks for the instant feedback.
I've added your recommendation and it worked with
just needed to rearrange some naming and it worked perfect.
If you want limit the maximum value of Response_Time, try
If you want to create a new variable, try