topic Re: Timechart for three different actions : Browse, View, Download in Splunk Search

Timechart for three different actions : Browse, View, Download

splunkman341 — Wed, 01 Jul 2015 19:31:21 GMT

Hi guys,

So I have a query which displays elapsedTime values for three different actions which are browse, view, and download. I am wondering if it possible to display this information into a timechart, where the x-axis displays the date by day and the y-axis displays the value. Here is the query I am trying to make the timechart out of

index=doccloud_main sourcetype=doccloud_sb | rex "(?P<service>EmployeeDocumentServicesImp[l]?\.getDocument(?:PDF)?|EmployeeDocumentServicesImp[l]?\.listDocuments)\(.* Elapsed time:\s+-\s\[(?P<elapsedTime>[\d\.]+)\]" | timechart values(elapsedTime) by service

Thanks in advance for your help

Re: Timechart for three different actions : Browse, View, Download

woodcock — Wed, 01 Jul 2015 19:37:47 GMT

I do not understand; that query looks good as-is (except that maybe you need a span=1m or something to deviate from the default). Does your search not produce a chart when you click on the visualization tab?

Re: Timechart for three different actions : Browse, View, Download

splunkman341 — Wed, 01 Jul 2015 19:40:41 GMT

No it does not, it displays an empty chart.

Re: Timechart for three different actions : Browse, View, Download

woodcock — Wed, 01 Jul 2015 19:46:21 GMT

It looks like your RegEx is bad so that either service or elapsedTime does not exist so no data is returned. What does this return?

index=doccloud_main sourcetype=doccloud_sb | rex "(?P<service>EmployeeDocumentServicesImp[l]?\.getDocument(?:PDF)?|EmployeeDocumentServicesImp[l]?\.listDocuments)\(.* Elapsed time:\s+-\s\[(?P<elapsedTime>[\d\.]+)\]" | table *

Re: Timechart for three different actions : Browse, View, Download

splunkman341 — Wed, 01 Jul 2015 19:51:26 GMT

That does not display any information either, and says "Your search generated too much data for the current visualization configuration".

In the statistics tab, it displays alot more information as well that I do not need.

Re: Timechart for three different actions : Browse, View, Download

woodcock — Wed, 01 Jul 2015 19:54:35 GMT

OK, does this show your 2 fields?

index=doccloud_main sourcetype=doccloud_sb | rex "(?P<service>EmployeeDocumentServicesImp[l]?\.getDocument(?:PDF)?|EmployeeDocumentServicesImp[l]?\.listDocuments)\(.* Elapsed time:\s+-\s\[(?P<elapsedTime>[\d\.]+)\]" | table service elapsedTime

Re: Timechart for three different actions : Browse, View, Download

splunkman341 — Wed, 01 Jul 2015 20:11:00 GMT

That does not display anything and gives the message "This visualization is configured to display a maximum of 1000 results per series, and that limit has been reached."

I have three fields I need to display with their corresponding elapsedTimes which are :

-EmployeeDocumentServicesImp.getDocument

-EmployeeDocumentServicesImp.getDocumentPDF

--EmployeeDocumentServicesImp.listDocuments

Re: Timechart for three different actions : Browse, View, Download

woodcock — Wed, 01 Jul 2015 20:40:54 GMT

You need to go all the way back to the beginning, show sample data, describe what fields are currently being extracted and maybe we can get somewhere.

Re: Timechart for three different actions : Browse, View, Download

martin_mueller — Thu, 02 Jul 2015 00:12:00 GMT

Using values(field) in a timechart doesn't make sense, you need some aggregation to get down to a single number for each cell / data point. For example, you could use avg(field) or sum(field).

Re: Timechart for three different actions : Browse, View, Download

splunkman341 — Thu, 02 Jul 2015 15:09:52 GMT

Please see this link as a reference to what exactly I am trying to accomplish.

https://answers.splunk.com/answers/235496/how-to-search-for-three-different-actions-browse-v.html

Re: Timechart for three different actions : Browse, View, Download

splunkman341 — Mon, 06 Jul 2015 15:06:38 GMT

Hi woodcock. I was wondering if you were able to view my link

Re: Timechart for three different actions : Browse, View, Download

woodcock — Mon, 06 Jul 2015 15:13:55 GMT

I do not understand; you have an accepted answer to that question and @martin_muleller has the correct answer for this question. Do you understand what he said?

Re: Timechart for three different actions : Browse, View, Download

splunkman341 — Mon, 06 Jul 2015 15:26:46 GMT

I do but that is not what I want. I do not want the sum or average of each elapsedTime; I want to display each elapsedTime for each document action day by day.

Re: Timechart for three different actions : Browse, View, Download

woodcock — Mon, 06 Jul 2015 16:36:31 GMT

Based on clarifications in your comments, I think what you are trying to do is this:

index=doccloud_main sourcetype=doccloud_sb | rex "(?P<service>EmployeeDocumentServicesImp[l]?\.getDocument(?:PDF)?|EmployeeDocumentServicesImp[l]?\.listDocuments)\(.* Elapsed time:\s+-\s\[(?P<elapsedTime>[\d\.]+)\]" | bucket _time span=1d | stats values(elapsedTime) by _time service