Hi,
I need to generate a report like this:
appName | buck | count
abc | <=1 minute | 5
abc | >1 min. && <=10 min. | 0
abc | >10 min. && <=30 min. | 5
xyz | <=1 minute | 0
xyz | >1 min. && <=10 min. | 1
xyz | >10 min. && <=30 min. | 15
my query is doing the job for the most part, except when the count is zero, splunk does not show a entry for it, so instead it gives the following (notifice row #2 and #4 is missing )
appName | buck | count
abc | <=1 minute | 5
(I need it to show a zero count row here)
abc | >10 min. && <=30 min. | 5
(I need it to show a zero count row here)
xyz | >1 min. && <=10 min. | 1
xyz | >10 min. && <=30 min. | 15
here's my search
search | eval buck=case(waitTimeSec <= 60, "<= 1min", waitTimeSec <= 600, "> 1min && <=10 min ", waitTimeSec <= 1800, ">10min && <=30 min.") | stats count(event) as count by appName, buck
any pointer is appreciated. thanks.
### new info
thanks for info. I followed the example you provided, it sort of works but now I cannot get it to group by appName first when I'm using rangemap. here's my new query
search |rangemap field=waitTimeSec "1-60"=0-60 "61-600"=61-600 "601-6000000"=601-6000000, "6000001-1600000"=6000001-1600000 |top limit=0 range |inputlookup append=true ntfn-lookup.csv |stats max(count) as mycount by range | sort range
here's the result
range mycount
1-60 4
61-600 7
601-6000000 14
6000001-1600000 0
here's my lookup.csv
range, count
1-60, 0
61-600, 0
601-6000000,0
6000001-1600000,0
I need it to group by appName first , so I tried
|stats max(count) as mycount by appName, range | sort range
but this returns no results.
any help is appreciated, thx
... View more