Archive

Response Time with hour intervals

Path Finder

I posted a question earlier this month regarding Response Time with an additional calculation.

What I need now, is help with doing the same search, but with a timechart, hourly interval.
Example
Time Average Response Time
date 13:00 0.528
date 14:00 0.896
etc.

My current search is
index=myindex* host="server" MessageType="99*" OR MessageType="91" OR Message_Type="92" OR MessageType="94" source=EasyPayVAGAS* | dedup MessageType, UUID | stats first(time) as begin last(time) as end by UUID | eval responsetime=begin-end | eval ResponseTime=if(responsetime>45,"45.000",responsetime) | stats avg(ResponseTime) as ResponseTime | eval RTAvg=round(ResponseTime,3) | table RTAvg

Any assistance will be appreaciated, thanks!

Tags (1)
0 Karma
1 Solution

SplunkTrust
SplunkTrust

Try this

index=myindex host="server" Message_Type="99" OR Message_Type="91" OR Message_Type="92" OR Message_Type="94" source=EasyPayVAGAS* | dedup Message_Type, UUID | eval Time=_time | bucket span=1h _time | stats first(Time) as begin last(Time) as end by UUID,_time| eval responsetime=begin-end | eval Response_Time=if(responsetime>45,"45.000",responsetime) | timechart span=1h avg(Response_Time) as RT_Avg | eval RT_Avg=round(RT_Avg,3) 

View solution in original post

SplunkTrust
SplunkTrust

Try this

index=myindex host="server" Message_Type="99" OR Message_Type="91" OR Message_Type="92" OR Message_Type="94" source=EasyPayVAGAS* | dedup Message_Type, UUID | eval Time=_time | bucket span=1h _time | stats first(Time) as begin last(Time) as end by UUID,_time| eval responsetime=begin-end | eval Response_Time=if(responsetime>45,"45.000",responsetime) | timechart span=1h avg(Response_Time) as RT_Avg | eval RT_Avg=round(RT_Avg,3) 

View solution in original post

Path Finder

Manage to get the search working with the results I need.
..my searches.. | eval Time=time | bucket span=1h _time | stats first(Time) as begin last(Time) as end by UUID,time | eval responsetime=begin-end | eval ResponseTime=if(responsetime>45,"45.000",responsetime) | timechart span=1h avg(ResponseTime) as RT_Avg

Thanks for your assistance "somesoni2"

0 Karma

Path Finder

Yes, it returns UUID, time, begin, end
Now for the calculation
Added "| eval responsetime=begin-end | eval Response
Time=if(responsetime>45,"45.000",responsetime)" and it displays the results correct.
All I need now is to add each UUID which displays the same hour (13:00 or 17:00) together.
Any suggestions on a calculation/search for adding result with the same time?

0 Karma

SplunkTrust
SplunkTrust

Does this returns anything?

index=myindex host="server" MessageType="99" OR MessageType="91" OR MessageType="92" OR MessageType="94" source=EasyPayVAGAS* | dedup MessageType, UUID | eval Time=time | bucket span=1h time | stats first(Time) as begin last(Time) as end by UUID,time

Path Finder

Thanks for the quick response.
The search did not return any result.

0 Karma