Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Stash graph with time intervals.
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Stash graph with time intervals.
{"dtm":"2019-09-04 07:17:39.129 PDT", "logger":".WEB_ORDER_RELEASE", "app":{"a":"OrderBuilderService","dc":"rnodc1","e":"all.test.ce03","h":"rn-aost-c03-lapp17.rno.com","p":"5328","ptn":"AMR","r":"5df90752-abc0-4a05-bf35-f1484f5102ea"}, "msg":{"data":{"cartId":"00000000-00000000-d000-000078669e67","casId":"c2265eae-4db0-403c-a682-0efd25bc1e76","clientSubType":"web.common","clientType":"web","cosId":"1b4b4c51-5c95-4172-ad59-b89a6b2ce3de","deliveryGroup":"SINGLE_ADDRESS_SHIP_PARTIAL","features":["crd","verizonInstallments"],"fraudDecision":"NF","lineItems":[{"commitCode":"0","deliveryDate":"Tomorrow","deliveryType":"STH","partNumber":"MT312LL/A","product":"iPhone XR 64GB White","qty":"5","resolvedDate":"Tomorrow","shipMethodCode":"SO"}],"ops.response":"SUCCEEDED","orderType":"order","payments":["CARD"],"pssId":"W6474e26fbfd74dadb7e240350adb9c20","remoteHost":"12.11.11.111","storeFront":{"channel":"common.internet","formatCode":"common","geo":"w.ar.uss","language":"en-us","segment":"consumer","storeFrontId":"10078"},"webOrderNumber":"W7726473007"},"headerData":{"channel":"common.internet","dssId":"22079241-ac7d-4496-8b9b-e5624b6792c0","format":"common","geo":"w.ar.uss","hashedPersonId":"fGeEFnkTSPfUgzcrbTHNYH31lWfY50g2MEAwXapV/1Q=","language":"en-us","mileStoneId":"ORDER_RELEASE","segment":"consumer","storefrontId":"10078"}}}
We have mileStoneID as Create_Cart, Checkout, Create_Checkout, Web_order_create and Order_Release.
I have a very interesting requirement, where I need show count of pddID by mileStoneID with a stash intervals < 1min 1min-3mins 3-5mins >5mins . Let say pddID = 12345687 is in mileStoneId Web_order_create and it's been in that mileStoneId for 2mins, it should fall in the count bucket of create and stash interval of 1min-3mins and pddID = 12345687 should not be included in another mileStoneId count.
Please feel free to ask any questions,Thanks for your time.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think you'll need something like the following
<base search>
| stats latest(mileStoneId) as mileStoneId, latest(_time) as _time by pddID
| eval stash_interval=now()-_time
| eval interval_bucket=case(stash_interval<60,"< 1min", stash_interval<180,"1-3min", stash_interval<300,"3-5min",1==1,">5mins")`
| stats count by interval_bucket, mileStoneId
First, get all the data you need as part of your base search. Then get the latest mileStoneID and _time for each pddID.
Assuming that the _time of the event is correct, you could calculate the how long it has been in that state by doing eval stash_interval=now()-_time .
Next, you can calculate what interval "bucket" you want to put it in, with eval interval_bucket=case(stash_interval<60,"< 1min", stash_interval<180,"1-3min", stash_interval<300,"3-5min",1==1,">5mins")
Once you have that data, you can do a stats count by mileStoneId, interval bucket, and you should end up with the table you are after.
Good luck!
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Announcing Modern Navigation: A New Era of Splunk User Experience
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
