Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- multiple subsearch using appendpipe
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am trying to create a search that will give a table displaying counts for multiple time_taken intervals. For example I want to display the counts for calls with a time_taken of 0, time_taken between 1 and 15, time_taken between 16 and 30, time_taken between 31 and 45, time_taken between 46 and 60.......time_taken greater than 300.
Here is the search I have been playing around with to no avail:
|stats avg(time_taken) as Scenario count(eval(time_taken =0)) as Count | eval Scenario = "Calls returning in 0 time"
|appendpipe [stats count(eval(time_taken > 0 AND time_taken <= 15)) as Count | eval Scenario = "Calls returning between 1 and 15 time"]
|appendpipe [stats count(eval(time_taken > 16 AND time_taken <= 30)) as Count | eval Scenario = "Calls returning between 16 and 30 time"]
|appendpipe [stats count(eval(time_taken > 31 AND time_taken <= 45)) as Count | eval Scenario = "Calls returning between 31 and 45 time"]
|appendpipe [stats count(eval(time_taken > 46 AND time_taken <= 60)) as Count | eval Scenario = "Calls returning between 46 and 60 time"]
|appendpipe [stats count(eval(time_taken > 61 AND time_taken <= 100)) as Count | eval Scenario = "Calls returning between 61 and 100 time"]
|appendpipe [stats count(eval(time_taken > 101 AND time_taken <= 200)) as Count | eval Scenario = "Calls returning between 101 and 200 time"]
|appendpipe [stats count(eval(time_taken > 201 AND time_taken <= 300)) as Count | eval Scenario = "Calls returning between 201 and 300 time"]
|appendpipe [stats count(eval(time_taken > 300)) as Count | eval Scenario = "Calls returning more than 300"]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
First of all, your eval Scenario= is clobbering your as Scenario so you are losing your main data element. Second, you really don't need to append anything. Give this a try:
|stats avg(time_taken) as Scenario
count(eval(time_taken =0)) as "Calls returning in 0 time"
count(eval(time_taken > 0 AND time_taken <= 15)) as "Calls returning between 1 and 15 time"
count(eval(time_taken > 16 AND time_taken <= 30)) as "Calls returning between 16 and 30 time"
count(eval(time_taken > 31 AND time_taken <= 45)) as "Calls returning between 31 and 45 time"
count(eval(time_taken > 46 AND time_taken <= 60)) as "Calls returning between 46 and 60 time"
count(eval(time_taken > 61 AND time_taken <= 100)) as "Calls returning between 61 and 100 time"
count(eval(time_taken > 101 AND time_taken <= 200)) as "Calls returning between 101 and 200 time"
count(eval(time_taken > 201 AND time_taken <= 300)) as "Calls returning between 201 and 300 time"
count(eval(time_taken > 300)) as "Calls returning more than 300"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
First of all, your eval Scenario= is clobbering your as Scenario so you are losing your main data element. Second, you really don't need to append anything. Give this a try:
|stats avg(time_taken) as Scenario
count(eval(time_taken =0)) as "Calls returning in 0 time"
count(eval(time_taken > 0 AND time_taken <= 15)) as "Calls returning between 1 and 15 time"
count(eval(time_taken > 16 AND time_taken <= 30)) as "Calls returning between 16 and 30 time"
count(eval(time_taken > 31 AND time_taken <= 45)) as "Calls returning between 31 and 45 time"
count(eval(time_taken > 46 AND time_taken <= 60)) as "Calls returning between 46 and 60 time"
count(eval(time_taken > 61 AND time_taken <= 100)) as "Calls returning between 61 and 100 time"
count(eval(time_taken > 101 AND time_taken <= 200)) as "Calls returning between 101 and 200 time"
count(eval(time_taken > 201 AND time_taken <= 300)) as "Calls returning between 201 and 300 time"
count(eval(time_taken > 300)) as "Calls returning more than 300"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks...this logic got the main data needed for the dashboard I am building. Something I haven't had since I began a week ago. The results are given all on a single row (one line of output). I am hoping to have the results in one column. This way I can use the pie chart in my dash.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For a 1 column, just add this:
... | transpose
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That worked absolutely perfect.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
By the way woodcock thanks a million for the answer. If I cannot get my pie chart to work, I will find a way to make the one line result work in the dashboard.
Observe and Secure All Apps with Splunk
What's New in Splunk Observability - August 2025
Introduction to Splunk AI
