Multiple average time calculations in a single search for Trellis Display

angersleek — Tue, 22 May 2018 12:51:14 GMT

This is my log format.

{
    servicename: ServiceOne
    end.timestamp: 20000
    start.timestamp: 19920
}

{
    servicename: ServiceTwo
    end.timestamp: 30000
    start.timestamp: 29520
}

{
    servicename: ServiceOne
    end.timestamp: 59800
    start.timestamp: 59220
}

I am trying to calculate the average time taken for each service and display it in a trellis Layout on my Dashboard.

For example as follows:

ServiceOne(milliSecond) ServiceTwo(milliSecond) ServiceThree(milliSecond) 

200                     320                     455

I am able to capture the data, subtract the time to get the duration for each time the service is called and get its average to display it for one service. Is there a way I could do this for all my services (there are 8 of them) in a single search to display it in a single Trellis layout as shown in the above example? Thanks.

This is what I have done which works for a single service.

servicename=Service* | Convert num(end.timestamp) as end_time | Convert num(start.timestamp) as start_time | eval time_taken=(end_time - start_time) | eval AllServicesDurationField=toString(time_taken) | chart avg(AllServicesDurationField) as "All Services"

Re: Multiple average time calculations in a single search for Trellis Display

somesoni2 — Tue, 22 May 2018 15:03:22 GMT

Just add by servicename at the end of your chart command.

topic Re: Multiple average time calculations in a single search for Trellis Display in Splunk Search

Multiple average time calculations in a single search for Trellis Display

Re: Multiple average time calculations in a single search for Trellis Display