Archive
Highlighted

Using timechat with 2 fields without any field calculation

Explorer

Hi,
I'm new in Splunk (and my knowledge is very very basic) and I have to build a complex dashboard with multiple indexes. I've tried googling it and I did not find anything related to my needs.
So, I have my index with a log file from a group of servers (farm) and that log is imported every hour. This log has 2 sourcetypes (users and computers).

My logfile has this name: ControlUpSessions012420171200.csv and "12_00" represents the hour that is imported to splunk.

I need to build a line chart by hour for a specific user (variable from an input field) with his "session Latency" and "CPU Usage"

With this query I have my results:
index=controlup sourcetype="csv-sessions" User="XPTO"
| table "Protocol Latency _ Session Avg", CPU

But using a "Timechart" with "span=1h" all examples have an "eval" or an "avg" and I don't need that.

I've tried and I have the results but only with AVG:
index=controlup sourcetype="csv-sessions" User="XPTO"
| timechart span=60m avg("Protocol Latency _ Session Avg")
| appendcols [search index=controlup sourcetype="csv-sessions" User="XPTO" | timechart span=60m avg(CPU)]

Basiclly I need a timeline with CPU usage and latency during the day for a selected user without any calculated value/field.
Can someone point me to the rigth direction, please?

Tags (1)
0 Karma
Highlighted

Re: Using timechat with 2 fields without any field calculation

Influencer

Have you tried just this:

index=controlup sourcetype="csv-sessions" User="XPTO" 
| timechart span=60m avg("Protocol Latency _ Session Avg")  avg(CPU)

You can specify multiple stats in a timechart

0 Karma
Highlighted

Re: Using timechat with 2 fields without any field calculation

Explorer

After several attemps I have my timeline like this:

alt text

<panel>
  <title>User timeline</title>
  <input type="text" token="username_field1" searchWhenChanged="true">
    <label>Username</label>
    <initialValue>*</initialValue>
    <default>*</default>
  </input>
  <input type="time" token="dash_date1" searchWhenChanged="true">
    <label>Date</label>
    <default>
      <earliest>@d</earliest>
      <latest>now</latest>
    </default>
  </input>
  <chart>
    <search>
      <query>
        index=pt_app_it_citrix_controlup sourcetype="csv-sessions" User="$username_field1$"
        | rex field=source ".*_(?<![CDATA[<date>]]>[0-9]+_[0-9]+_[0-9]+)_[0-9]+_[0-9]+_[0-9]+.csv" 
        | rex field=source ".*_(?<![CDATA[<hour>]]>[0-9]+_[0-9]+)_[0-9]+.csv"
        | eval _time = strptime(replace(date,"_","-") + " " + replace(hour,"_",":")+":00", "%m-%d-%Y %H:%M:%S")
        | timechart span=60m eval(round(avg('Protocol Latency _ Session Avg'),1)) as latency, eval(round(avg(CPU)/100,1)) as cpu
        | sort _time
    </query>
      <earliest>$dash_date1.earliest$</earliest>
      <latest>$dash_date1.latest$</latest>
    </search>
    <option name="charting.chart">line</option>
    <option name="charting.chart.showDataLabels">all</option>
  </chart>
</panel>

But I still have to apply the AVG:
| timechart span=60m eval(round(avg('Protocol Latency _ Session Avg'),1)) as latency, eval(round(avg(CPU)/100,1)) as cpu

Is there anyway to put these values As Is on a Timechart without the AVG ?

Thanks !!!

0 Karma
Highlighted

Re: Using timechat with 2 fields without any field calculation

SplunkTrust
SplunkTrust

Give this a try

index=pt_app_it_citrix_controlup sourcetype="csv-sessions" User="$username_field1$"
| rex field=source ".*_(?<![CDATA[<timestamp>]]>\d{2}_\d{2}_\d{4}_\d{2}_\d{2}.csv" 
| eval _time = strptime(timestamp,"%m-%d-%Y %H:%M")
| table _time 'Protocol Latency _ Session Avg' CPU
| sort _time
0 Karma