hi i have two fields: IDs and response time in seconds. so by using the response time, i need to break down events
0-1 sec how many IDs were processed (their count)
1-2 sec how many IDs were processed
.....
9-10 sec how many IDs were processed
can someone help me thanks.
Have a look at these two answers and that is what I think you are looking for:
https://answers.splunk.com/answers/28420/custom-chart-bucket-span-widths.html
https://answers.splunk.com/answers/233835/reliable-way-to-specify-span-to-bucket-numeric-val.html
Have a look at these two answers and that is what I think you are looking for:
https://answers.splunk.com/answers/28420/custom-chart-bucket-span-widths.html
https://answers.splunk.com/answers/233835/reliable-way-to-specify-span-to-bucket-numeric-val.html
Thanks for your answer i got it by using the ceil and floor commands...thank you so much for your answers..it looks like it will also work for my case
Seems like you need the following, IDs processed every second (which in-turn will require you to run the search for shorter duration) :
your base search ID=* | timechart span=1s count(ID) as "IDs Processed"
If this is not what you need please provide field names and examples.