Dashboards & Visualizations

Why is the chart command not working properly?

zacksoft
Contributor

sample event

10.138.258.78 522x533587x10 JOHNNY [20/Jun/2018:08:42:23 -0400] "GET /rest/redbopper/1.0/xboard/work/allData.json?rapidViewId=9124&selectedProjectKey=BMRIEMARED&etag=9128%2C1529498111000%2C%5B%5D%2C%5B%5D%2C560&_=1529498542404 HTTP/1.1" 200 181 748 "https://phutan.mayhem.com/secure/ActiveBoard.jspa?superView=9024" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36" "ihb3tl"

The number in bold indicates the response time and JOHNNY is the user. I wanted to get a chart drawn of the response time of all the transactions of the user. Here is my query. But I am not able to use the chart command properly.

sourcetype="Zaccess" host=A OR host=B NOT host=C AND JOHNNY
| eval headers=split(_raw," ")
 | eval username=mvindex(headers,2) 
| eval method=mvindex(headers,5)
 | eval Request=mvindex(headers,6) 
| eval Status=mvindex(headers,8) 
| eval req_time=mvindex(headers,10) 
| eval uri=mvindex(headers,11)
 | eval Method=replace(method,"\"","") 
| eval uri=replace(uri,"\"","") 
| eval Run_Time = req_time*0.001
 | rex field=_raw "\"(?[^\s]+)\"$"
 | eval c_time=strftime(_time,"%m/%d/%y %H:%M:%S") 

Also, is it possible to input the username as a parameter as a dashboard input instead of hardcoding it in the query?

0 Karma
1 Solution

renjith_nair
SplunkTrust
SplunkTrust

Hi @zacksoft,

Does this work for you ?

|stats count|eval _raw="10.138.258.78 522x533587x10 JOHNNY [20/Jun/2018:08:42:23 -0400] \"GET /rest/redbopper/1.0/xboard/work/allData.json?rapidViewId=9124&selectedProjectKey=BMRIEMAREDηg=9128%2C1529498111000%2C%5B%5D%2C%5B%5D%2C560&_=1529498542404 HTTP/1.1\" 200 181 748 \"https://phutan.mayhem.com/secure/ActiveBoard.jspa?superView=9024\" \"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36\" \"ihb3tl\""
|rex "^(?:[^ \n]* ){2}(?P<user>\w+)"|rex "^(?:[^ \n]* ){10}(?P<resp_time>\d+)"|rex "^[^ \n]* (?P<txn_id>[^ ]+)"
|fields user,resp_time,txn_id|stats max(resp_time) by txn_id

Only last 2 lines are processing data.

Yes you could use parameter for user name in dashboard using tokens. Refer to Define_tokens_for_form_inputs

View solution in original post

renjith_nair
SplunkTrust
SplunkTrust

Hi @zacksoft,

Does this work for you ?

|stats count|eval _raw="10.138.258.78 522x533587x10 JOHNNY [20/Jun/2018:08:42:23 -0400] \"GET /rest/redbopper/1.0/xboard/work/allData.json?rapidViewId=9124&selectedProjectKey=BMRIEMAREDηg=9128%2C1529498111000%2C%5B%5D%2C%5B%5D%2C560&_=1529498542404 HTTP/1.1\" 200 181 748 \"https://phutan.mayhem.com/secure/ActiveBoard.jspa?superView=9024\" \"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36\" \"ihb3tl\""
|rex "^(?:[^ \n]* ){2}(?P<user>\w+)"|rex "^(?:[^ \n]* ){10}(?P<resp_time>\d+)"|rex "^[^ \n]* (?P<txn_id>[^ ]+)"
|fields user,resp_time,txn_id|stats max(resp_time) by txn_id

Only last 2 lines are processing data.

Yes you could use parameter for user name in dashboard using tokens. Refer to Define_tokens_for_form_inputs

View solution in original post

zacksoft
Contributor

Thank you super very much.

0 Karma
Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!