Splunk Search

multiple subsearch using appendpipe

ljohnson_possib
New Member

I am trying to create a search that will give a table displaying counts for multiple time_taken intervals. For example I want to display the counts for calls with a time_taken of 0, time_taken between 1 and 15, time_taken between 16 and 30, time_taken between 31 and 45, time_taken between 46 and 60.......time_taken greater than 300.

Here is the search I have been playing around with to no avail:

|stats avg(time_taken) as Scenario count(eval(time_taken =0)) as Count | eval Scenario = "Calls returning in 0 time"
|appendpipe [stats count(eval(time_taken > 0 AND time_taken <= 15)) as Count | eval Scenario = "Calls returning between 1 and 15 time"]
|appendpipe [stats count(eval(time_taken > 16 AND time_taken <= 30)) as Count | eval Scenario = "Calls returning between 16 and 30 time"]
|appendpipe [stats count(eval(time_taken > 31 AND time_taken <= 45)) as Count | eval Scenario = "Calls returning between 31 and 45 time"]
|appendpipe [stats count(eval(time_taken > 46 AND time_taken <= 60)) as Count | eval Scenario = "Calls returning between 46 and 60 time"]
|appendpipe [stats count(eval(time_taken > 61 AND time_taken <= 100)) as Count | eval Scenario = "Calls returning between 61 and 100 time"]
|appendpipe [stats count(eval(time_taken > 101 AND time_taken <= 200)) as Count | eval Scenario = "Calls returning between 101 and 200 time"]
|appendpipe [stats count(eval(time_taken > 201 AND time_taken <= 300)) as Count | eval Scenario = "Calls returning between 201 and 300 time"]
|appendpipe [stats count(eval(time_taken > 300)) as Count | eval Scenario = "Calls returning more than 300"]

Tags (1)
0 Karma
1 Solution

woodcock
Esteemed Legend

First of all, your eval Scenario= is clobbering your as Scenario so you are losing your main data element. Second, you really don't need to append anything. Give this a try:

|stats avg(time_taken) as Scenario
count(eval(time_taken =0)) as "Calls returning in 0 time" 
count(eval(time_taken > 0 AND time_taken <= 15)) as "Calls returning between 1 and 15 time"
count(eval(time_taken > 16 AND time_taken <= 30)) as "Calls returning between 16 and 30 time"
count(eval(time_taken > 31 AND time_taken <= 45)) as "Calls returning between 31 and 45 time"
count(eval(time_taken > 46 AND time_taken <= 60)) as "Calls returning between 46 and 60 time"
count(eval(time_taken > 61 AND time_taken <= 100)) as "Calls returning between 61 and 100 time"
count(eval(time_taken > 101 AND time_taken <= 200)) as "Calls returning between 101 and 200 time"
count(eval(time_taken > 201 AND time_taken <= 300)) as "Calls returning between 201 and 300 time"
count(eval(time_taken > 300)) as "Calls returning more than 300"

View solution in original post

woodcock
Esteemed Legend

First of all, your eval Scenario= is clobbering your as Scenario so you are losing your main data element. Second, you really don't need to append anything. Give this a try:

|stats avg(time_taken) as Scenario
count(eval(time_taken =0)) as "Calls returning in 0 time" 
count(eval(time_taken > 0 AND time_taken <= 15)) as "Calls returning between 1 and 15 time"
count(eval(time_taken > 16 AND time_taken <= 30)) as "Calls returning between 16 and 30 time"
count(eval(time_taken > 31 AND time_taken <= 45)) as "Calls returning between 31 and 45 time"
count(eval(time_taken > 46 AND time_taken <= 60)) as "Calls returning between 46 and 60 time"
count(eval(time_taken > 61 AND time_taken <= 100)) as "Calls returning between 61 and 100 time"
count(eval(time_taken > 101 AND time_taken <= 200)) as "Calls returning between 101 and 200 time"
count(eval(time_taken > 201 AND time_taken <= 300)) as "Calls returning between 201 and 300 time"
count(eval(time_taken > 300)) as "Calls returning more than 300"

ljohnson_possib
New Member

Thanks...this logic got the main data needed for the dashboard I am building. Something I haven't had since I began a week ago. The results are given all on a single row (one line of output). I am hoping to have the results in one column. This way I can use the pie chart in my dash.

0 Karma

woodcock
Esteemed Legend

For a 1 column, just add this:

... | transpose
0 Karma

ljohnson_possib
New Member

That worked absolutely perfect.

0 Karma

ljohnson_possib
New Member

By the way woodcock thanks a million for the answer. If I cannot get my pie chart to work, I will find a way to make the one line result work in the dashboard.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...