Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

how to set not continuous number span for bucket value

cheriemilk
Path Finder
‎11-04-2021 05:05 PM

Hi team,

I have such event in splunk that log the employee number in each online meeting. I want to 

find and sats the employee number distribution and percentage%

I have below query that the bin span is continuous number 100.

<baseQuery>
|bin empNumber span=100
|stats count by empNumber
|eventstats sum(count) as total
|eval ratio%=round(empNumber/total*100,2)
|fields - total,empNumber
|sort - ratio%

 

But now the stats requirement is changed. Because 90% online meeting has employee number less than 100, so I want to set such not continuous bins in one query

1) for online meeting that  employee number less than 100, I want to set the bin value to 10

2)for online meeting that employee number greater than 100, I want to set the bin value to 100

And I don't want to query two times, stats by binvalue=100 first, then stats binvalue=10 again. I want to make it happen in one query.

Questions: how to change  my existing query to meet the query requirement.

 

Labels (1)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎11-04-2021 11:43 PM 
| eval empNumber=if(empNumber<100,(floor(empNumber/10)*10)."-".(floor((empNumber+10)/10)*10),(floor(empNumber/100)*100)."-".(floor((empNumber+100)/100)*100))
0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Registration is OPEN!

Ready. Set. Splunk! Your favorite Splunk user event is back and better than ever. Get ready for more technical ...

Detecting Cross-Channel Fraud with Splunk

This article is the final installment in our three-part series exploring fraud detection techniques using ...

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Pack your bags (and maybe your dancing shoes)—Cisco Live is heading to San Diego, June 8–12, 2025, and Splunk ...