topic Re: how to create chart for time on X axis and filed on Y axis... pls help am new to splunk and it is very important pls in Splunk Search

how to create chart for time on X axis and filed on Y axis... pls help am new to splunk and it is very important pls

saisree — Mon, 28 Sep 2020 19:21:12 GMT

This is my data.. now i want to take chart for time vs each command .. if it is possible have to show duration between start and end time of each command.. plz help me ..

03-25-2015 03:04:31.189, cmd_name=cmd1(Start_time_of_if)
03-25-2015 03:09:31.189, cmd_name=cmd1(end_time_of_if)

03-25-2015 03:12:31.189, cmd_name=cmd2(Start_time_of_if)
03-25-2015 03:17:31.189, cmd_name=cmd2(end_time_of_if)
03-25-2015 03:20:31.189, cmd_name=cmd3(Start_time_of_grep)
03-25-2015 03:24:31.189, cmd_name=cmd3(end_time_of_grep)
03-25-2015 03:27:31.189, cmd_name=cmd4(Start_time_of_if)
03-25-2015 03:32:31.189, cmd_name=cmd4(end_time_of_if)
03-25-2015 03:38:31.189, cmd_name=cmd5(Start_time_of_sed_command)
03-25-2015 03:42:31.189, cmd_name=cmd5(end_time_of_sed_command)
03-25-2015 03:49:31.189, cmd_name=cmd6(Start_time_of_if)
03-25-2015 03:55:31.189, cmd_name=cmd6(End_time_of_if)

Thank u

Re: how to create chart for time on X axis and filed on Y axis... pls help am new to splunk and it is very important pls

esix_splunk — Sun, 29 Mar 2015 04:39:21 GMT

I would use the transaction command. That will give you a duration.

First would be to confirm that the cmd_name is extracted. If not, I'd extract this..

..main search .. | rex field=_raw "cmd_name\=\(?<cmd_name>[^\)]+)\)"

After you run that, you should see cmd_name is extracted as cmd1,cmd2, etc.

Then add transaction to that..

..main search .. | rex field=_raw "cmd_name\=\(?<cmd_name>[^\)]+)\)"  | transaction cmd_name beginswith="Start_time" endswith="end_time"

That should give you a per cmd_name transaction. Check the duration fields. You can perform your timechart or stats off of that...

 ..main search .. | rex field=_raw "cmd_name\=\(?<cmd_name>[^\)]+)\)"  | transaction cmd_name beginswith="Start_time" endswith="end_time" | timechart count by duration

http://docs.splunk.com/Documentation/Splunk/6.2.2/SearchReference/Transaction

Re: how to create chart for time on X axis and filed on Y axis... pls help am new to splunk and it is very important pls

saisree — Sun, 29 Mar 2015 06:12:52 GMT

Thank u for u respond sir.. but i am trying to run rex command its showing like Regex: unmatched parentheses
will u help out of this plz

Thank u

Re: how to create chart for time on X axis and filed on Y axis... pls help am new to splunk and it is very important pls

esix_splunk — Sun, 29 Mar 2015 13:01:11 GMT

Did you resolve the parenthesis error? Cut and paste might have missed a character.

Re: how to create chart for time on X axis and filed on Y axis... pls help am new to splunk and it is very important pls

saisree — Mon, 30 Mar 2015 03:01:18 GMT

yes i solved it .. but when i am running whole command its showing no resluts ....I tried a lot but i am not getting sir

Re: how to create chart for time on X axis and filed on Y axis... pls help am new to splunk and it is very important pls

esix_splunk — Mon, 30 Mar 2015 03:12:58 GMT

Can you paste your full search into here. And be sure to use the quotes field.

Re: how to create chart for time on X axis and filed on Y axis... pls help am new to splunk and it is very important pls

vasavigangana — Mon, 28 Sep 2020 19:18:45 GMT

source="all_option_to_tmp" | rex field=_raw "cmd_name=\(?[^)]+))" | transaction cmd_name startswith="Start_time" endswith="end_time" | timechart count by duration

Re: how to create chart for time on X axis and filed on Y axis... pls help am new to splunk and it is very important pls

saisree — Mon, 28 Sep 2020 19:21:25 GMT

pls consider the following search

source="all_option_to_tmp" | rex field=_raw "cmd_name=(?[^]+))" | transaction cmd_name startswith="Start_time" endswith="end_time" |timechart count by duration