topic Re: How to show text values in a timechart? in Splunk Search

How to show text values in a timechart?

edwinmae — Thu, 03 Mar 2016 07:33:24 GMT

I have the following information extracted from the log file:

03.03.2016 04:46:23 : Execution time in minutes: 4,37056666666667
03.03.2016 04:16:17 : Execution time in minutes: 4,2685
03.03.2016 03:46:15 : Execution time in minutes: 4,25025

If I extract new fields (using space), I will get 8 fields, Meaning I am able to filter the time (like 4,37056) for field 8
table _time and field8 --> and I'll get the date/time like 03.03.2016 04:46:23 and the Execution time like 4.37056

Now, when I want to show the date/time and Execution times in, for example, a line graph, it's empty -- I have the date/time (X-axis) and Execution time (Y-axis)

Unfortunately the graph is empty ..

Re: How to show text values in a timechart?

lguinn2 — Thu, 03 Mar 2016 23:41:15 GMT

It would help if you showed the actual Splunk commands.

Re: How to show text values in a timechart?

lguinn2 — Thu, 03 Mar 2016 23:46:42 GMT

Assuming that you have a field named execution_time, try this

yoursearchhere
| convert num(execution_time) as exec_time 
| sort _time
| table _time exec_time

Although this would probably make a better time chart:

yoursearchhere
| convert num(execution_time) as exec_time 
| timechart avg(exec_time) as Avg_Execution_Time

Re: How to show text values in a timechart?

edwinmae — Tue, 29 Sep 2020 08:58:40 GMT

Original search:
index = xxxxx sourcetype = xxxxx host = xxxxx source = "Log-File" field4 = Execution field5 = time field6 = in field7 = "minutes:" Execution_Time = "*"

04.03.2016 10:19:47 : Execution time in minutes: 6,77968333333333
04.03.2016 09:19:36 : Execution time in minutes: 6,60625
04.03.2016 08:48:48 : Execution time in minutes: 5,80391666666667
04.03.2016 08:18:33 : Execution time in minutes: 5,5466

Adding | table _time Execution_Time -- this is how it should look in graph -- date/time on the X-as and Execution Time in minutes on the Y-as

2016-03-04 10:19:47 6,77968333333333
2016-03-04 09:19:36 6,60625
2016-03-04 08:48:48 5,80391666666667
2016-03-04 08:18:33 5,5466

Visualization: X-as and Y-as look OK, but the graph is empty

When adding | convert num(Execution_Time) as exec_time | table _time exec_time

2016-03-04 10:19:47 677968333333333
2016-03-04 09:19:36 660625
2016-03-04 08:48:48 580391666666667
2016-03-04 08:18:33 55466
2016-03-04 07:48:30 54875

When I | timechart avg(exec_time) as Avg_Execution_Time I (now) get values in the graph -- unfortunately these are incorrect (=unusable).

I am new to Splunk, so all help is appreciated here

Target is to get these execution times in minutes in graph with some alerts configured e.g. if 'execution time' > 10 (minutes)

Re: How to show text values in a timechart?

edwinmae — Fri, 04 Mar 2016 13:10:58 GMT

My comments are not saved for unknown reason

Re: How to show text values in a timechart?

lguinn2 — Fri, 04 Mar 2016 22:07:17 GMT

Okay, try this

source=log_file
| rex "Execution time in minutes: (?<exec_time>\S+)"
| eval Execution_time = tonumber(replace(exec_time, ",", "." ))
| timechart avg(Execution_time) as Avg_Execution_Time

or substitute the following for the timechart command:

| sort _time
| table _time Execution_time

The problem with the earlier answer is that Splunk interpreted the comma in the execution time as a thousands separator. And there was a typo, which I have corrected.

Re: How to show text values in a timechart?

edwinmae — Mon, 07 Mar 2016 08:00:16 GMT

The following worked and reflected the correct values in the 'graph':

| rex "Execution time in minutes: (?\S+)" 
| eval Execution_time = tonumber(replace(exec_time, ",", "." ))
| sort _time
| table _time Execution_time

Also the following did the job

| rex field=Execution_Time mode=sed "s/,/./g" 
| table _time Execution_Time

Re: How to show text values in a timechart?

edwinmae — Wed, 09 Mar 2016 05:17:58 GMT

Thanks for your help Iguinn!