topic Re: timechart call Time in Splunk Search

timechart call Time

area34 — Wed, 15 Apr 2020 07:22:58 GMT

Hi,

I tried to made a timechart (call duration) , the value I onyl have is the Users and the methods and the call timestamp. I want see how long the call takes with the user again one method?

thats my datas

timestamp user method

2020-04-15 07:18:28.978 WSABXXX checkXXXX

Re: timechart call Time

to4kawa — Wed, 15 Apr 2020 14:12:45 GMT

index=yours
| eval timestamp=strptime(timestamp,"%F %T.%3Q")
| stats range(timestamp) as duration by user method

Re: timechart call Time

area34 — Thu, 16 Apr 2020 06:18:28 GMT

Hi,

yeah now I want the the calls the field is empty...

index=*

| rex field=msg "(?\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}.\d{3}).- \w{5}.\w{5}.\w{7}.\w{10}.(?P.)- user=(?.*)- method=(?\w+)"
| eval timeStamp=strptime(timestamp,"%F %T.%3Q")
| stats range(timeStamp) as call by user action

sourc
|
|
V

user    method call

1 WSxxx checkmethod
2 WSyyy getmethod
3 WStztzz getOBmethod

what should I do if I want

Re: timechart call Time

area34 — Thu, 16 Apr 2020 06:21:06 GMT

my search
| rex field=msg "(?\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}.\d{3}).- \w{5}.\w{5}.\w{7}.\w{10}.(?P.)- user=(?.*)- method=(?\w+)"
| eval timeStamp=strptime(timestamp,"%F %T.%3Q")
| stats range(timeStamp) as call by user method

my result
user method call
1 WSxxx checkmethod
2 WSyyy getmethod
3 WStztzz getOBmethod

Now in the the field call is empty I want that field should count how often the user called method

Re: timechart call Time

to4kawa — Thu, 16 Apr 2020 11:37:45 GMT

| makeresults 
| eval _raw="raw
2020-04-15 07:18:28.978 WSABXXX checkXXXX
2020-04-15 08:18:28.968 WSABXXX checkXXXX"
| multikv forceheader=1
| rex "(?<timestamp>\S+\s\S+).(?<user>\S+).(?<method>\S+)"
| eval timeStamp=strptime(timestamp,"%F %T.%3Q")
| stats range(timeStamp) by user method

Check your REGEX and |eval timeStamp) ...result.