topic Re: How to search with a fixed time span timechart everyday? in Splunk Search

How to search with a fixed time span timechart everyday?

zacksoft — Wed, 29 Aug 2018 14:05:54 GMT

I am trying to find my average response time of everyday events (not avg of all the events of that day , but the events from 10AM to 1PM) only for last 7 days.

sourcetype="super:access" host=xa20hlf**  | eval headers=split(_raw," ") | eval resp_time=mvindex(headers,10) | eval resptime_time_seconds=resp_time*0.001| timechart span=1d eval(round(avg(resptime_time_seconds),2)) as avgTime

Re: How to search with a fixed time span timechart everyday?

DalJeanis — Wed, 29 Aug 2018 14:21:42 GMT

Try this...

sourcetype="super:access" host=xa20hlf**  
| eval Hour=strftime(_time,"%H")
| where Hour>=10 AND Hour<13
| eval headers=split(_raw," ") 
| eval resp_time=mvindex(headers,10) 
| eval resptime_time_seconds=resp_time*0.001
| timechart span=1d eval(round(avg(resptime_time_seconds),2)) as avgTim

Re: How to search with a fixed time span timechart everyday?

horsefez — Wed, 29 Aug 2018 14:25:32 GMT

Hi @zacksoft,

how about this:

sourcetype="super:access" host=xa20hlf** earliest=-7d@d latest=now (date_hour=10 OR date_hour=11 OR date_hour=12 OR date_hour=13) | eval headers=split(_raw," ") | eval resp_time=mvindex(headers,10) | eval resptime_time_seconds=resp_time*0.001| timechart span=1d eval(round(avg(resptime_time_seconds),2)) as avgTime

Re: How to search with a fixed time span timechart everyday?

zacksoft — Wed, 29 Aug 2018 14:33:02 GMT

I wanna change the latest = now to latest = (a fix time of day/week, that I choose like this wednesday 6pm) . Also can we exclude weekends?
When we give span=1d, what exactly is the duration of 1d in clockwise?

Re: How to search with a fixed time span timechart everyday?

twinspop — Wed, 29 Aug 2018 14:46:12 GMT

Dal: In my admittedly limited testing, I found it ~ 8% faster to filter on hour after the timechart. Trim the first eval and the first where, and after timechart add: | where tonumber(strftime(_time,"%H"))>=10 and tonumber(strftime(_time,"%H"))<13. My test was a simple count on _internal.

Re: How to search with a fixed time span timechart everyday?

DalJeanis — Thu, 30 Aug 2018 02:06:14 GMT

@twinspop - you can't filter on hour after the timechart aggregates to span=1d ... so it would not work unless you change the timechart to span=1h and then run it again through timechart to aggregate it up to the day level... and then you are averaging the averages rather than the actual events. If you have an idea that you think will work, please go ahead and write it up as an answer. The more, the merrier!

Re: How to search with a fixed time span timechart everyday?

twinspop — Thu, 30 Aug 2018 02:32:31 GMT

Shoot man, you're totally right. My bad.