Apologies - I am sure this has been answered before.
I am trying to create a graph from my traffic logs. I have managed to extract the 4 fields from the traffic logs as "Start_time" "End_time" "transmitted bits per second" "received bits per second"
But when I try to graph this I get different results. I want the x-axis to be the start_time (not the splunk recorded time field "_time") and I want the y-axis to be "bits per second"
I would like a single log entry to be represented on the x-axis from "Start_time" upto the later time of "End_time" with a height on the y-axis of the integer number "transmitted bits per second" (no time averages or other fancy math functions)
In fact I am just looking for a graph of traffic versus time from a standard traffic log.
Has anyone got any links to a splunk graph and the search string used to generate something like this ?
Many thanks for your help
The timechart command will use the _time field for its x-axis, and the values of that _time field have to be epochTime (ie # of seconds since 1970). Beyond that, where those values actually come from doesnt really matter, so we can just eval them from your extracted start_time field.
If that start_time is already an epochTime number then we can save some time, but Im going to assume that it's extracted in a string format, and Im going to additionally assume that the timeformat string involved is: "%m/%d/%Y %H:%M:%S"
So here goes:
<your search> | eval _time=strptime(start_time, "%m/%d/%Y %H:%M:%S")
that will overwrite the indexed _time values with your extracted times.
And from there, I think all you want is basically a graph of overall bits transmitted over time. I've broken this out step by step so its a little easier to follow.
<your search> | eval _time=strptime(start_time, "%m/%d/%Y %H:%M:%S") | eval end_time_epoch = strptime(end_time, "%m/%d/%Y %H:%M:%S") | eval duration=endtime_epoch - _time | eval bytesTransmitted = bytesTransmitPerSecond * duration | timechart sum(bytesTransmitted)
hope that helps.
Many thanks for you suggestions. You gave me a couple of things to look at further.
Am able to get the start time field from log entry
And can get the duration in seconds also from log entry.
Can convert the start time to epoch time and add on duration
to get the end time (as an epoch value or as a regular time stamp format).
But your suggestion "timechart sum(transmitpersecond)" would chart
the "transmitpersecond" against "_time" (the time stamp splunk gets the log at) , as opposed to the time in the log entry.
And gets the sum for this particular time rather than going showing a bar
... a bar chart type entry starting at "start time" and going on until "end time".
Maybe I am being too particular. I will give your suggestion a go and it will probably give me good enough results.
Again many thanks for your help here.
Is there a reason that you're not indexing the data such that the indexed time of the event actually is the starttime field? Is there a third timestamp in the logs that is also meaningful? If not I suggest fixing the problem at indexing, cause then this just becomes "timechart avg(transmittedbps)"