Hi, I am new to Splunk and couldn't figure out how to work with OpenTelemetry's histogram bucket in Splunk.
I have a basic set up of 3 buckets from OTel, with le=2000, 8000, +Inf and the bucket name is "http.server.duration_bucket".
My goal is to display the number count inside the 3 buckets for a 15min period, perform a calculations using those values, and add the calculated value as a 4th column.
I came up with this so far:
| mstats max("http.server.duration_bucket") chart=true WHERE "index"="metrics" span=15m BY le
| fields - _span*
| rename * AS "* /s"
| rename "_time /s" AS _time
But immediately I see 2 issues:
a) the 8000 bucket results are added with 2000 bucket results as well because they are recorded as cumulative histograms.
b) the values inside the bucket is always increasing, so I cannot isolate how many counts belong to 2000 bucket now vs the same bucket 15mins ago.
And I realized that I don't know how to get the right calculation and separate the buckets without using "BY le", so I cannot perform calculations from there.
So my question is:
1) Is there an example of function for displaying the real non-cumulative values in the histogram for a given period?
2) If my calculation is max(le=2000)*0.6 + max(le=8000)*0.4, how would I add that as a column to the search?
Thanks in advance!
