Reporting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Issue with Splunk query

uagraw01
Motivator
‎07-26-2024 03:07 AM

I am working on the below query in which I want to calculate the lead_time in HH:SS. This query is giving me some results in statical mode but not giving any results with linechart. Please help me fix it.

Results with statical mode.

uagraw01_0-1721988295271.png

No results showing while using "line chart"

uagraw01_1-1721988332338.png

Below is the complete query:

index= abc
| eval completion_time=strptime(COMPLETED_TIMESTAMP, "%Y-%m-%dT%H:%M:%S.%3QZ")
| stats count by completion_time FULFILLMENT_START_TIMESTAMP _time
| eval lead_time = (completion_time - FULFILLMENT_START_TIMESTAMP)
| eval hours=floor(lead_time / 3600)
| eval minutes=floor((lead_time % 3600) / 60)
| eval formatted_minutes=if(minutes < 10, "0" . minutes, minutes)
| eval HH_MM = hours . ":" . formatted_minutes
| timechart max(HH_MM) as "Maximum" avg(HH_MM) as "Average" min(HH_MM) as "Minimum"
| eval hours=floor(Maximum / 3600)
| eval minutes=floor((Maximum % 3600) / 60)
| eval formatted_minutes=if(minutes < 10, "0" . minutes, minutes)
| eval max_HH_MM = hours . ":" . formatted_minutes
| eval hours=floor(Average / 3600)
| eval minutes=floor((Average % 3600) / 60)
| eval formatted_minutes=if(minutes < 10, "0" . minutes, minutes)
| eval avg_HH_MM = hours . ":" . formatted_minutes
| eval hours=floor(Minimum / 3600)
| eval minutes=floor((Minimum % 3600) / 60)
| eval formatted_minutes=if(minutes < 10, "0" . minutes, minutes)
| eval min_HH_MM = hours . ":" . formatted_minutes
| table _time max_HH_MM avg_HH_MM min_HH_MM

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎07-26-2024 04:00 AM

The values need to be numeric e.g. number of minutes, you can't use string values such as HH:MM to display on a chart

0 Karma
Reply

uagraw01
Motivator
‎07-26-2024 04:04 AM

@ITWhispererDo you mean like this ?

| eval max_HH_MM = tostring(max_HH_MM)

| eval avg_HH_MM = tostring(avg_HH_MM)

| eval min_HH_MM = tostring(min_HH_MM)
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎07-26-2024 04:51 AM

No, that is the complete opposite of what I am saying!

index= abc
| eval completion_time=strptime(COMPLETED_TIMESTAMP, "%Y-%m-%dT%H:%M:%S.%3QZ")
| stats count by completion_time FULFILLMENT_START_TIMESTAMP _time
| eval lead_time = (completion_time - FULFILLMENT_START_TIMESTAMP)
| timechart max(lead_time) as "Maximum" avg(lead_time) as "Average" min(lead_time) as "Minimum"

Keep the values numeric differences between timestamps - if you want, you could divide the values by 60 to get minutes 

Reply

uagraw01
Motivator
‎07-26-2024 05:27 AM

@ITWhisperer 

index=wma_bext TYPE=FULFILLMENT_REQUEST STATUS="Marshalling"
| eval completion_time=strptime(COMPLETED_TIMESTAMP, "%Y-%m-%dT%H:%M:%S.%3QZ")
| stats count by completion_time FULFILLMENT_START_TIMESTAMP _time
| eval lead_time = (completion_time - FULFILLMENT_START_TIMESTAMP)
| timechart max(lead_time) as "Maximum" avg(lead_time) as "Average" min(lead_time) as "Minimum"
| foreach Maximum Average Minimum [ eval <<FIELD>>_hours=round('<<FIELD>>'/3600, 2), <<FIELD>>_minutes=round('<<FIELD>>'/60, 2) ]



When I use above query to combine hours and minutes and again , then i used to write like this "| eval max_d = Maximum_hours. ":" .Maximum_minutes" and again it comes into a string mode. Please suggest me how I can showcase my results in HH:MM mode for maximum, average, minimum.

Below results currently I am getting by using above query.

uagraw01_0-1721996620345.png

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎07-26-2024 05:43 AM 
| foreach Maximum Average Minimum [ eval <<FIELD>>_duration=tostring(<<FIELD>>,"duration") ]

However, as I said before, you can't use these duration fields on a chart as they are strings not numbers

0 Karma
Reply

uagraw01
Motivator
‎07-26-2024 06:15 AM

@ITWhisperer 
Any alternative to showcase this in line chart ?

uagraw01_1-1721999697156.png

 

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎07-26-2024 06:37 AM

Wouldn't you think if I knew of another way I would have mentioned it?

You can't use strings for values in charts.

Reply

uagraw01
Motivator
‎07-26-2024 06:46 AM

@ITWhisperer Thanks for your help and suggestion.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...