I am trying to get calls classified into different categories based on their response times:
sourcetype=abc |eval calls = case(time <300, "A", time >300 AND time<600, "B", time >600 AND time <1000, "C", time >1000 AND time <3000, "D", time >3000, "E")
How do I get it listed as different categories with different time buckets, 5m as an example?
I want to see results as :
time A B C D E
9:00 1 2 2 1 0
9:05 2 1 4 5 1
9:10 2 1 3 1 9
9:15 6 1 3 2 1
You can do like this as well
sourcetype=abc |eval calls = case(time <300, "A", time<600, "B", time <1000, "C", time <3000, "D", time >3000, "E", 1=1, "unknown") | timechart span=5m count by calls
hmm, can't you do this with the with eval in the stats command, instead of using a case?
... | bin span=5m _time | stats count(eval(time<300)) as A count(eval(time>=300 AND time < 600)) as B count(eval(time>=600 AND time < 1000)) as C count(eval(time>=1000 AND time < 3000)) as D count(eval(time>=3000)) as E by _time
On an unrelated note, some nitpicking: your case as it is slightly flawed. For one thing, if you have an event where time
is 300, it will have null
in the field calls
- none of your cases apply to time = 300
. Furthermore, the first comparison each after the first case is unneccessary. If you have passed the first case, then time is definitely greater than 300, so you can just go ahead and check whether it is still less than 600. After that, it is definitely greater than 600, and so on. Your case could thus be improved to this:
... case(time <300, "A", time<600, "B", time <1000, "C", time <3000, "D", time >3000, "E", 1=1, "unknown")
This will make sure an event with time = 300
will get calls
with a value "B", and it saves some calculations. This also handles the case that time is not a number (don't know if that can happen in your case, but it's always a good idea to have a default value).
id did once something like
sourcetype=abc | eval calls_A = if(time < 300, 1,0)
| eval calls_B = if(time > 300 AND time < 600, 1,0)
| eval calls_C = if(time > 600 AND time < 1000, 1,0)
| eval calls_D = if(time > 1000 AND time < 3000, 1,0)
| eval calls_E = if(time > 3000, 1,0)
| timechart count(calls_A) count(calls_B) count(calls_D) count(calls_E)
You search would be based on the above plus something along the lines of the below...
.. | bin span=5m _time | stats count by calls _time
Similar..
.. | timechart span=5m values(calls) by calls