topic Re: Calculate hourly usage from Machine data in Splunk Search

Calculate hourly usage from Machine data

shashank_24 — Mon, 19 Jul 2021 14:51:15 GMT

Hi, I have uploaded a JSON data from one of my APM tools into Splunk to get some meaningful insights. The events are there for every hour. Every event has 2 fields timeFrameStart & timeFrameEnd which are coming as Epoch time and I have converted them into human readable format. There is another fields called Visits which tells me how many visits were there in that hour.

My requirement is to plot a hourly usage graph with time as x-axis (probably derive from timeFrameStart field) and visits on the y-axis. I've written a base query -

source="mydataarchive" host="splunkdev" index="test_index" | eval startTime=strftime(timeFrameStart/1000,"%a,%d %b %Y %H:%M:%S") | eval endTime=strftime(timeFrameEnd/1000,"%a,%d %b %Y %H:%M:%S") | table startTime endTime visits

Let me know if anyone can advice on this using stats or timechart command.

Re: Calculate hourly usage from Machine data

kamlesh_vaghela — Mon, 19 Jul 2021 16:46:19 GMT

@shashank_24

Can you please try this for timechart?

source="mydataarchive" host="splunkdev" index="test_index" | eval timeFrameStart=timeFrameStart/1000, timeFrameEnd=timeFrameEnd/1000, usage=timeFrameEnd-timeFrameStart, _time=timeFrameStart | timechart span=1h sum(usage) as usage sum(Visits) as Visits

Re: Calculate hourly usage from Machine data

shashank_24 — Tue, 27 Jul 2021 17:22:40 GMT

@kamlesh_vaghela It's not working. What i want is hourly chart with visits on y-axis. _time field is coming as index time which I don't want.

I want to plot against the time field

timeFrameStart

Re: Calculate hourly usage from Machine data

kamlesh_vaghela — Wed, 28 Jul 2021 04:25:50 GMT

@shashank_24

If you observe the search I'm overwrite the _time by doing eval. It isn't working?

_time=timeFrameStart