topic Re: Outlook Launch Time query issue in Splunk Search

Outlook Launch Time query issue

MartinMcNutt — Sun, 24 Nov 2013 00:29:56 GMT

We are currently using Event 45 to calculate the average load for Outlook: Microsoft KB & Sample Data

What we have for a search is this using Splunk 6:

index=win_desk EventCode=45 sourcetype="WinEventLog:Application" SourceName=Outlook | rex field=_raw "Boot Time \(Milliseconds\)\: (?<BootTime_ms>\d+)" max_match=0   | streamstats sum(BootTime_ms) as Evt_sum_BootTime window=1 | eval Evt_BootTime_sec = Evt_sum_BootTime / 1000 | bucket _time span=1d  | stats avg(Evt_BootTime_sec) by _time

When I run this search for the following days (10/1/13 12:00:00.000 am to 10/6/13 12:00:00.000 am) I come up with the following results:

_time                avg(Evt_BootTime_sec)
2013-10-01           24.834010
2013-10-02           7.831655
2013-10-03           7.796068
2013-10-04           4.842439
2013-10-05           4.59200

So far it all looks good! The problem seems to be when we adjust the the time frame to 30 days. My results go crazy!

10/1/13 12:00:00.000 AM to 11/1/13 12:00:00.000 AM
_time   avg(Evt_BootTime_sec)
2013-10-01   772.931010
2013-10-02   755.928655
2013-10-03   755.893068
2013-10-04   752.939439
2013-10-05   752.689000
2013-10-06   756.884800
2013-10-07   719.525329
2013-10-08   687.182311

As you can see in the data10/1/2013 has jumped from 24 seconds to 12 Minutes by just changing the date range. The goal is to track our progress month by month showing a steady progress downwards in a chart.

What am I doing wrong here?

Re: Outlook Launch Time query issue

lguinn2 — Sun, 24 Nov 2013 04:24:17 GMT

This is because your streamstats are accumulated over more than one day now. I don't think you need the streamstats at all. If you want the average daily load calculated over the last X days, you could do this

index=win_desk EventCode=45 sourcetype="WinEventLog:Application" SourceName=Outlook 
| rex field=_raw "Boot Time \(Milliseconds\)\: (?<BootTime_ms>\d+)" max_match=0   
| eval Evt_BootTime_sec = Evt_sum_BootTime / 1000 
| bucket _time span=1d
| stats avg(Evt_BootTime_sec) by _time

Re: Outlook Launch Time query issue

dstaulcu — Sun, 24 Nov 2013 18:39:18 GMT

We discovered that log data about outlook a few weeks ago. very cool. For our instance of Splunk which is also version 6 the boot time field for add-ins auto-discovered. Is the value not getting extracted by default for you? Did you find something wrong with it which led you to regex extraction? I'll check to see whether I cam getting similar variation over time

Re: Outlook Launch Time query issue

MartinMcNutt — Sun, 24 Nov 2013 20:29:32 GMT

The rex is left over from the 5X Splunk servers.

Re: Outlook Launch Time query issue

MartinMcNutt — Sun, 24 Nov 2013 20:51:53 GMT

I tried your approached but BootTime is auto discovered as a Multivalue field. Streamstats is doing exactly what is required and summing the time for each record.

The really odd thing about this is it works perfectly against a single indexer where it was originally created. When we execute against our new cluster it is fails with the bad values.

Thanks for the help anyways. I am going to see if Splunk can give us a hand with this and I will post the final search when it is done.

Re: Outlook Launch Time query issue

lguinn2 — Tue, 26 Nov 2013 05:15:34 GMT

Ah, that's a pretty brilliant use of streamstats

But I think that something must be wrong with your event parsing if you are getting multiple BootTimes in a single event.

Looking forward to seeing your final search...

Re: Outlook Launch Time query issue

jackdenial — Wed, 26 Sep 2018 11:03:26 GMT

I am getting the same problem with my Outlook account when I tried to launch time on my outlook, then an error message is generating that is “Outlook launch time query issue”. Can anyone tell me the solution? I have Forgotten Outlook Password then I resolved this issue from this link https://www.outlooktechnicalsupportnumbers.com/
,