Splunk Search

How to use Eval greater than, less than for a duration and Count the values

amunag439
Explorer

I'm calculating the time difference between two events by using Transaction and Duration. Below is the query that I used to get the duration between two events Model and Response

host=* sourcetype=** source="*/example.log" "Model*" OR "Response*"
 | transaction traceId startswith="Model" endswith="Response" 
 | table traceId duration _time

I want to get counts of transactions where duration>1, duration<1 and the total count in the same table. I was able to do it individually in separate queries using where clause and eval. But was not successful when I combined them. The individual query that works for me is

"Model List*" OR "Response Code*"
| transaction traceId startswith="Model List" endswith="Response Code" | eval less_dur=duration | where less_dur > 1
| stats count(less_dur)

Query that doesnt work me is

"Model List*" OR "Response Code*"
| transaction traceId startswith="Model List" endswith="Response Code" | eval less_dur=duration | where less_dur > 1 | eval more_dur=duration | where more_dur < 1
| stats count(less_dur), count(more_dur), count
0 Karma
1 Solution

tiagofbmm
Influencer

I think there is a logical loop here. You're looking for duration>1 and then duration <1 and want to have the number of each of those.

How about

 "Model List*" OR "Response Code*"
 | transaction traceId startswith="Model List" endswith="Response Code" | eval less_dur=if(duration>1,1,0), moe_dur=if(duration<1,1,0)  | stats sum(less_dur), sum(more_dur), count

View solution in original post

tiagofbmm
Influencer

I think there is a logical loop here. You're looking for duration>1 and then duration <1 and want to have the number of each of those.

How about

 "Model List*" OR "Response Code*"
 | transaction traceId startswith="Model List" endswith="Response Code" | eval less_dur=if(duration>1,1,0), moe_dur=if(duration<1,1,0)  | stats sum(less_dur), sum(more_dur), count

amunag439
Explorer

@tiagofbmm This is exactly what I was looking for. Thank you

0 Karma

cmerriman
Super Champion

So the reason that wouldn't work is because you're calculating less_dur and then filtering when it's less than 1. THEN you create more_dur, but the duration is already always less than 1. you would need to do both evals before the where statements.

0 Karma

amunag439
Explorer

@cmerriman My eval is based on the duration values here. So how do I achieve it?

0 Karma

amunag439
Explorer

Thanks for the reply @cmerriman

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...