topic Re: Timechart field value by field woes in Splunk Search

Timechart field value by field woes

thelegendofando — Tue, 09 May 2017 11:25:43 GMT

Hello,

I have log messages that look like this:
Handled MessageTypeA in 10ms
Handled MessageTypeB in 23ms
Handled MessageTypeA in 5ms
Handled MessageTypeB in 27ms

I would like a line chart that shows me how long the messages are taking to process by each message type.
i.e. there would be 2 lines on the chart, one for MessageTypeA between values 10 and 5, and one for MessageTypeB between values 23 and 27.

This was my attempt:
{my search}| rex field=_raw "Handled (?\S*) in (?\d+)"| timechart list(time) by msg

It seems to plot something, but not anything relating to the data I've got.

Re: Timechart field value by field woes

Richfez — Tue, 09 May 2017 11:48:05 GMT

You are part of the way there. Try this for a better and more "accurate" chart.

{my search}| rex field=_raw "Handled (?<msg>\S*) in (?<time>\d+)" | timechart avg(time) by msg

max(), min(), etc... all the timechart functions are available there. Indeed, several at once, like

{my search}| rex field=_raw "Handled (?<msg>\S*) in (?<time>\d+)" 
| timechart avg(time) as Average, max(time) as Maximum min(time) as Minimum by msg

Happy Splunking!
Rich

Re: Timechart field value by field woes

thelegendofando — Tue, 09 May 2017 12:00:05 GMT

Thanks 🙂

That did it, but it's not drawing lines between the points for some reason.

Re: Timechart field value by field woes

Richfez — Tue, 09 May 2017 12:03:44 GMT

Easy - that's in the chart formatting.

Click the Format button drop-down (top left of the chart),
In the "General" tab there's a way to handle "Null Values" Click the last of the three options to join them.

Re: Timechart field value by field woes

thelegendofando — Tue, 09 May 2017 12:28:47 GMT

Ah, genius! Thanks 🙂