How to group my search results with respect to res...

kmahamkali · ‎12-18-2017

here is the situation:
I have two fields
1. Response time that needs grouping like this (Low=0-1.2, Medium=1.2-1.5, High=1.5-1.8 default=Critcal)
2. CodeName that corresponds to the response time

i want to see top 5 codenames trending graph with bucketing as mentioned above for a span of 15min.

I tried this
my search| rangemap field=ResponseTime Low=0-1.2, Meduim=1.2-1.5, High=1.5-1.8 default=Critcal | timechart count span=15 min by range

Kwip · ‎12-22-2017

Yes you have to go with eval case in this scenario,

my search
| eval Range=case(
ResponseTime>0 AND ResponseTime<1.2, "Low", 
ResponseTime>1.2 AND ResponseTime<1.5, "Medium", 
ResponseTime>1.5 AND ResponseTime<1.8, "High", 
1==1 "Critical")
| timechart span=15 range by CodeName

JDukeSplunk · ‎12-20-2017

I don't think rangemap likes decimals. Maybe the answer posted here using |eval case will be a suitable substitute.

https://answers.splunk.com/answers/5659/rangemap-does-not-work-with-decimals.html

somesoni2 · ‎12-18-2017

What's the output of your current search and what's the output should be?

How to group my search results with respect to response time ranges?

Index This | I’m short for "configuration file.” What am I?

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Your Guide to SPL2 at .conf24!