Splunk Search

Is it possible to divide results into buckets of varying sizes?

Glenn
Builder

I'd like to be able to provide a chart that divides data into sets (buckets) of different sizes.

The underlying search returns a large number of transactions, and we are interested in tracking those with abnormally long durations. To do this, we hoped to somehow be able to divide the durations into "human-useful" buckets like 0-20ms, 20-40ms, 40-60ms, 80-100ms, 100-200ms, 200ms+ (note these buckets are not all the same size, and one doesn't even have an upper extent).

I have tried using a postprocessing command "| chart count(_raw) by duration span=20ms", but of course this this results in a large number of ranges up to the longest durations, most of which have nothing in them.

Is there a builtin way to specify all of the bucket extents, or if not, use a combination of postprocessing commands to work this out?

Tags (2)
1 Solution

Stephen_Sorkin
Splunk Employee
Splunk Employee

You can certainly compute your own bucket sizes using the eval command. For example, in your case you would search:

... | eval duration_group = case(duration < 20, "0-20 ms", duration < 40, "20-40 ms", duration < 60, "40-60 ms", duration < 80, "60-80 ms", duration < 100, "80-100 ms", duration < 200, "100-200 ms", 1==1, ">200 ms") | chart count by duration_group

View solution in original post

ziegfried
Influencer

Using the rangemap command is an option as well:

... | rangemap field=duration "0-20ms"=0-20 "20-40ms"=20-40 "40-60ms"=40-60 "60-80ms"=60-80 "80-100ms"=80-100 "100-200ms"=100-200 default="200ms+" | stats count by range

Stephen_Sorkin
Splunk Employee
Splunk Employee

You can certainly compute your own bucket sizes using the eval command. For example, in your case you would search:

... | eval duration_group = case(duration < 20, "0-20 ms", duration < 40, "20-40 ms", duration < 60, "40-60 ms", duration < 80, "60-80 ms", duration < 100, "80-100 ms", duration < 200, "100-200 ms", 1==1, ">200 ms") | chart count by duration_group

srikarbaswa446
New Member

Here in this case difference inn range is 0-20,20-40,40-60 if it has different ranges like 0-40,40-60,60-90
How to write a query for that ?

0 Karma

hbazan
Path Finder

try "| chart count(_raw) by duration span=log2", does it do the trick? BTW, it should work with "| bucket duration span=log2" but I'm getting an exception, I'm sending a bug report

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...