Hello,
I want to create a line graph where the y axis is time and the x axis is the name of the event. How would you create that line graph? An example of the file is..
2015-05-22 00:5:02,318 INFO Begin Payment
2015-05-22 00:10:17,090 INFO Finished Payment
So I wanted on the x axis payment and the y axis the time it took for payment to finish. In this case 5 minutes.
Based on this comment of yours:
The "Payment" string is unique
This is the best that can be done:
... | rex "INFO\s+(?<TransactionType>[\S]+)\s+(?<PaymentString>.*)$" | stats earliest(_time) AS start latest(_time) AS stop BY PaymentString | eval duration=stop-start
If you would like to chart it, you can do something like this:
... | rex "INFO\s+(?<TransactionType>[\S]+)\s+(?<PaymentString>.*)$" | eventstats earliest(_time) AS start latest(_time) AS stop BY PaymentString | where TransactionType="Finished" | eval duration=stop-start | timechart span=1h avg(duration)
Based on this comment of yours:
The "Payment" string is unique
This is the best that can be done:
... | rex "INFO\s+(?<TransactionType>[\S]+)\s+(?<PaymentString>.*)$" | stats earliest(_time) AS start latest(_time) AS stop BY PaymentString | eval duration=stop-start
If you would like to chart it, you can do something like this:
... | rex "INFO\s+(?<TransactionType>[\S]+)\s+(?<PaymentString>.*)$" | eventstats earliest(_time) AS start latest(_time) AS stop BY PaymentString | where TransactionType="Finished" | eval duration=stop-start | timechart span=1h avg(duration)
Also, check out the answer to this question which I believe is either the same or very related:
http://answers.splunk.com/answers/301060/how-to-create-a-line-graph-in-xml-that-displays-th-1.html
Your event examples are woefully inadequate but assuming you have fields like AccountNumber
and PaymentAmount
, then do it like this:
... | rex "INFO\s+(?<TransactionType>.*) | eventstats earliest(_time) AS start latest(_time) AS stop BY PaymentAmount AccountNumber TransactionType | eval start=if(TransactionType="Begin Payment",start,null()) | eval stop=if(TransactionType="Begin Payment",null(),stop) | stats first(start) AS start first(stop) AS stop BY PaymentAmount AccountNumber | eval duration=stop-start | chart avg(duration) BY PaymentAmount
This may not be exactly the view that you desire but you should be able to tweak it from there
Do your payments have an id you could use to distinguish them? Then you could split your x-axis along these ids.
No they do not.
Then I'm afraid what you ask for is not possible. What you have is just individual "begin" and "end" events, how would you ever find out which two belong together? Or is there no concurrency?
The "Payment" string is unique