Dashboards & Visualizations
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Use multiple stats and display all results on one chart

ektasardana
Explorer
‎11-06-2017 10:59 PM

I have a base search query which is quite complicated and I want to use that to calculate multiple stats and display all of them on a single chart. I am having a hard time to solve this problem in Splunk. When searched, found multiple options to do it but nothing really works.
1. Use append and sub search - need the output from base search. not a neat way to copy the big and complicated search again and again
2. Cannot just refer to base search again in sub searches

High level overview of the problem I am trying to solve:
base search returns

Time --- #Action --------- #id1 ---------- #id2 ------------- #id3

_time, event A send, sessionAid
_time, event B send, -------------- sessionBid
_time, event A recv, sessionAid
_time, event B recv, --------------- sessionBid
_time, event C send, ---------------------------------- sessionCid
_time, event C recv, ---------------------------------- sessionCid

I need to calculate the duration between each event's send and receive. I am using stats command for that.

base search results| eval eventA_send_time = ### | eval eventA_recv_time = ###| stats values(eventA_send_time) as send_time values(eventA_recv_time) as recv_time by sessionAid| mvexpand recv_time | eval A_time = recv_time - send_time

Similarly for Event B and C. This works fine if run individually but I need to display durations of event A, B and C on a chart.
Can someone explain how this can be achieved. Really appreciate your help!!

Tags (1)
0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎11-07-2017 03:17 AM

You have not explained how you use stats to obtain each event's send and receive time. Judging from your high level data representation, what you really want is session duration (sessioId1, sessionId2, ...) grouped by event type (A, B, C, ...). If that is the case, indeed stats provides a cheap method. For simplicity, I further assume that the session IDs are in the same series, i.e., the same ID will not appear in more than one event types. There are ways to workaround this limitation, but it is just nuance.

You also have not explained what kind of chart you are looking for. Here is an example of time chart for average session duration for each type.

base search | rex "event (?<eventType>\w+)"
| stats min(_time) as _time max(_time) as end by sessionId eventType
| eval duration = end - _time
| timechart avg(duration) by eventType

(The above also assume that "event A", "event B", etc., appears literally like that so a regex can extract event type. You'll have to find your own way to extract this if that's not the case.) If there is a chance that session IDs overlap between event types, the simplest way to deal with it is to redefine session ID by sticking event type to session ID to form a new ID that is unique, e.g., | eval sessionId = eventType.sessionId.

0 Karma
Reply

ektasardana
Explorer
‎11-07-2017 09:32 AM

I am using eval eventA_send_time = if(action = "event A send",_time,null()) to obtain time for each event send and receive. Same goes for others.
Also not sure how this "| eval sessionId = eventType.sessionId" will work since sessionId is not a single column. I have three different columns for ids.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...