I am looking for a query to group a set of transactions with respect to their duration. The output should be like this.
Duration Count
0-1 200
1-2 50
2-3 10
etc..
As Yann was mentioning, once you have the duration
value from transaction
you can use rangemap
to do something like this:
... | rangemap field=duration 0-10=0-10 11-100=11-100 100-500=100-500 default=500+
| stats count by range
As Yann was mentioning, once you have the duration
value from transaction
you can use rangemap
to do something like this:
... | rangemap field=duration 0-10=0-10 11-100=11-100 100-500=100-500 default=500+
| stats count by range
Thanks! I get some overlapping ranges and it gets displayed as
Range Count
2-3 3-4 78
4-5 3-4 98
Is there any way to get the overlapped duration value assigned to a unique range.
for eg , duration of 2 should show up in 2-3 range and not in 1-2.
If you use the transaction function, the duration field exists.
So you have to redefine ranges with a new field like "durationrange" (see eval functions or rangemap)
http://docs.splunk.com/Documentation/Splunk/4.3.2/SearchReference/Rangemap
Finally use "| sort -durationrange" at the end of the search.
Thanks! Is there any way to deal with the overlapped values.More details in the comment below...