topic Re: How to get sum and charts of usage time values for corresponding fields? in Splunk Search

How to get sum and charts of usage time values for corresponding fields?

fziegler — Wed, 18 Jun 2014 19:58:04 GMT

I'm using splunk 6.0.3

When I search for: "has been closed after being in use"
I have a series of hits like shown in the 4 sample lines below:

2014-06-17 18:26:47.219765 (UTC) Camera SITENAME-1.camera.CAMERANAME-1 has been closed after being in use for 175 seconds in automatic mode

2014-06-18 14:48:30.241732 (UTC) Camera SITENAME-2.camera.CAMERANAME-2 has been closed after being in use for 281 seconds in manual mode

2014-06-18 15:52:53.974993 (UTC) Camera SITENAME-3.camera.CAMERANAME-3 has been closed after being in use for 5494 seconds in Unknown mode

2014-06-18 15:53:10.312491 (UTC) Camera SITENAME-4.camera.CAMERANAME-4 has been closed after being in use for 5511 seconds in watching mode

How can a do a search, to report the total usage time, for each camera, at each site, in each mode?

and.. print pretty charts and plots?
thanks!

Fred.Ziegler@alum.mit.edu

Re: How to get sum and charts of usage time values for corresponding fields?

jeremiahc4 — Wed, 18 Jun 2014 20:03:34 GMT

You could either use the field extractor UI to try and solve it, or you could use rex on the search line to handle the same.

Something like (untested, but probably close);

your base search | rex "Camera (?P<CameraSite>.+) has been closed after being in use for (?P<UsageTime>\d*) seconds" | chart sum(UsageTime) by CameraSite

Re: How to get sum and charts of usage time values for corresponding fields?

jeremiahc4 — Wed, 18 Jun 2014 20:06:39 GMT

You probably need to modify the regex ".+" in the CameraSite field to capture the full name... I usually have to play around with it, but could either be something like

(?P[\w\d\-\.]*) or (?P.*[^ ])