Splunk Search

How to use eval and case results with bucket span to list categories with different time buckets?

nmohammed
Contributor

I am trying to get calls classified into different categories based on their response times:

sourcetype=abc |eval calls = case(time <300, "A",  time >300 AND time<600, "B", time >600 AND  time <1000, "C",  time >1000 AND  time <3000, "D",  time >3000, "E")   

How do I get it listed as different categories with different time buckets, 5m as an example?
I want to see results as :

time A B C D E
9:00 1 2 2 1 0
9:05 2 1 4 5 1
9:10 2 1 3 1 9

9:15 6 1 3 2 1

Tags (4)
0 Karma

somesoni2
SplunkTrust
SplunkTrust

You can do like this as well

 sourcetype=abc |eval calls = case(time <300, "A", time<600, "B", time <1000, "C", time <3000, "D", time >3000, "E", 1=1, "unknown") | timechart span=5m count by calls  
0 Karma

maciep
Champion

hmm, can't you do this with the with eval in the stats command, instead of using a case?

... | bin span=5m _time | stats count(eval(time<300)) as A count(eval(time>=300 AND time < 600)) as B count(eval(time>=600 AND time < 1000)) as C  count(eval(time>=1000 AND time < 3000)) as D  count(eval(time>=3000)) as E  by _time
0 Karma

jeffland
SplunkTrust
SplunkTrust

On an unrelated note, some nitpicking: your case as it is slightly flawed. For one thing, if you have an event where time is 300, it will have null in the field calls - none of your cases apply to time = 300. Furthermore, the first comparison each after the first case is unneccessary. If you have passed the first case, then time is definitely greater than 300, so you can just go ahead and check whether it is still less than 600. After that, it is definitely greater than 600, and so on. Your case could thus be improved to this:

... case(time <300, "A", time<600, "B", time <1000, "C", time <3000, "D", time >3000, "E", 1=1, "unknown")

This will make sure an event with time = 300 will get calls with a value "B", and it saves some calculations. This also handles the case that time is not a number (don't know if that can happen in your case, but it's always a good idea to have a default value).

0 Karma

FritzWittwer_ol
Contributor

id did once something like

sourcetype=abc | eval calls_A = if(time < 300, 1,0) 
                              | eval calls_B = if(time > 300 AND time < 600, 1,0)
                              | eval calls_C = if(time > 600 AND time < 1000, 1,0)
                              | eval calls_D = if(time > 1000 AND time < 3000, 1,0)
                              | eval calls_E = if(time > 3000, 1,0) 
| timechart count(calls_A)  count(calls_B)  count(calls_D)  count(calls_E) 
0 Karma

esix_splunk
Splunk Employee
Splunk Employee

You search would be based on the above plus something along the lines of the below...

.. | bin span=5m _time | stats count by calls _time

Similar..

.. | timechart span=5m  values(calls) by calls
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...