Solved: Results on daily basis with rangemap

vijkuma · ‎12-08-2020

My Query : --- | stats count by "response time" | rename "response time" as "time_taken" | rangemap field=time_taken upto_5_sec=0-5000 default=more_then_5_sec | stats sum(count) by range

How can i get this result distributed on daily basis.

Current result :

upto_5_sec	100
more_then_5_sec	1

Expected result :

2020-12-05	upto_5_sec	80
	more_then_5_sec	0

2020-12-06	upto_5_sec	20
	more_then_5_sec	1

scelikok · ‎12-08-2020

@vijkuma , please try below;

| stats count by "response time" _time
| rename "response time" as "time_taken" 
| rangemap field=time_taken upto_5_sec=0-5000 default=more_then_5_sec 
| bin span=1d _time 
| stats sum(count) as count by _time range 
| stats list(range) as range list(count) as count by _time

If this reply helps you an upvote and "Accept as Solution" is appreciated.

View solution in original post

vijkuma · ‎12-08-2020

This worked. @scelikok Thanks for the help. Much appreciated !!!

scelikok · ‎12-08-2020

@vijkuma , please try below;

| stats count by "response time" _time
| rename "response time" as "time_taken" 
| rangemap field=time_taken upto_5_sec=0-5000 default=more_then_5_sec 
| bin span=1d _time 
| stats sum(count) as count by _time range 
| stats list(range) as range list(count) as count by _time

If this reply helps you an upvote and "Accept as Solution" is appreciated.

Results on daily basis with rangemap

count

stats

timechart

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases