Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

how to set not continuous number span for bucket value

cheriemilk
Path Finder
‎11-04-2021 05:05 PM

Hi team,

I have such event in splunk that log the employee number in each online meeting. I want to 

find and sats the employee number distribution and percentage%

I have below query that the bin span is continuous number 100.

<baseQuery>
|bin empNumber span=100
|stats count by empNumber
|eventstats sum(count) as total
|eval ratio%=round(empNumber/total*100,2)
|fields - total,empNumber
|sort - ratio%

 

But now the stats requirement is changed. Because 90% online meeting has employee number less than 100, so I want to set such not continuous bins in one query

1) for online meeting that  employee number less than 100, I want to set the bin value to 10

2)for online meeting that employee number greater than 100, I want to set the bin value to 100

And I don't want to query two times, stats by binvalue=100 first, then stats binvalue=10 again. I want to make it happen in one query.

Questions: how to change  my existing query to meet the query requirement.

 

Labels (1)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎11-04-2021 11:43 PM 
| eval empNumber=if(empNumber<100,(floor(empNumber/10)*10)."-".(floor((empNumber+10)/10)*10),(floor(empNumber/100)*100)."-".(floor((empNumber+100)/100)*100))
0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...