Reporting

Pick the value as column and duration value as Row against them date wise

sachdeva_2007
Explorer

Rex field to Pick the value as column and duration value as Row against them. refer the below.

Date And TimeSilinePrimaryAddressSearchInServicingNavExistingAddresses
2/11/1982 1:251.1321.3751.1491.885


XML format

<Transaction Name="Naviline" Time="02/11/1982 01:25:07:223" Duration="9.034" />
<Transaction Name="SePipeline" Time="02/11/1982 01:25:07:899" Duration="0.662" />
<Transaction Name="NdwIncuse" Time="02/11/1982 01:25:09:553" Duration="1.614" />
<Transaction Name="EnterDetails" Time="02/11/1982 01:25:11:532" Duration="1.916" />
<Transaction Name="SIline" Time="02/11/1982 01:25:12:703" Duration="1.132" />
<Transaction Name="GetWindowIn" Time="02/11/1982 01:25:20:748" Duration="7.957" />
<Transaction Name="PrimaryAddress" Time="02/11/1982 01:25:22:154" Duration="1.375" />
<Transaction Name="WindowingTouch" Time="02/11/1982 01:25:51:674" Duration="1.365" />
<Transaction Name="dailysearch" Time="02/11/1982 01:26:01:908" Duration="10.141" />
<Transaction Name="SearchInServicing" Time="02/11/1982 01:26:03:115" Duration="1.149" />
<Transaction Name="NavExistingAddresses" Time="02/11/1982 01:26:05:060" Duration="1.885" />



Labels (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

This is because the transactions have different times - how do you want to group the transactions - by hour? by date? by event (ignoring the datetime)?

View solution in original post

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| rex "Name=\"(?<name>[^\"]+)\"\sTime=\"(?<time>[^\"]+)\"\sDuration=\"(?<duration>[^\"]+)\""
| eval time=strptime(time,"%d/%m/%Y %H:%M")
| eval {name}=duration
| stats values(*) as * by time
| fieldformat time=strftime(time,"%d/%m/%Y %H:%M")
0 Karma

sachdeva_2007
Explorer

no result found, hope you saw the requirement. refer attachment again 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Here is a runanywhere example showing it working (the part before the blank lines sets up sample data in line with your example) - if your events are different in some way, perhaps you can share them

| makeresults 
| eval _raw="<Transaction Name=\"Naviline\" Time=\"02/11/1982 01:25:07:223\" Duration=\"9.034\" />
<Transaction Name=\"SePipeline\" Time=\"02/11/1982 01:25:07:899\" Duration=\"0.662\" />
<Transaction Name=\"NdwIncuse\" Time=\"02/11/1982 01:25:09:553\" Duration=\"1.614\" />
<Transaction Name=\"EnterDetails\" Time=\"02/11/1982 01:25:11:532\" Duration=\"1.916\" />
<Transaction Name=\"SIline\" Time=\"02/11/1982 01:25:12:703\" Duration=\"1.132\" />
<Transaction Name=\"GetWindowIn\" Time=\"02/11/1982 01:25:20:748\" Duration=\"7.957\" />
<Transaction Name=\"PrimaryAddress\" Time=\"02/11/1982 01:25:22:154\" Duration=\"1.375\" />
<Transaction Name=\"WindowingTouch\" Time=\"02/11/1982 01:25:51:674\" Duration=\"1.365\" />
<Transaction Name=\"dailysearch\" Time=\"02/11/1982 01:26:01:908\" Duration=\"10.141\" />
<Transaction Name=\"SearchInServicing\" Time=\"02/11/1982 01:26:03:115\" Duration=\"1.149\" />
<Transaction Name=\"NavExistingAddresses\" Time=\"02/11/1982 01:26:05:060\" Duration=\"1.885\" />"
| multikv noheader=t
| table _raw



| rex "Name=\"(?<name>[^\"]+)\"\sTime=\"(?<time>[^\"]+)\"\sDuration=\"(?<duration>[^\"]+)\""
| eval time=strptime(time,"%d/%m/%Y %H:%M")
| eval {name}=duration
| fields - name duration
| stats values(*) as * by time
| fieldformat time=strftime(time,"%d/%m/%Y %H:%M")
| table time SIline PrimaryAddress SearchInServicing NavExistingAddresses

 

0 Karma

sachdeva_2007
Explorer

when I run the whole command including raw, it worked for me as well.

but when I run only these commands , it gives me header detail but not any value again them except dates column refer below screenshot

sachdeva_2007_0-1629730596216.jpeg

 

| rex "Name=\"(?<name>[^\"]+)\"\sTime=\"(?<Date>[^\"]+)\"\sDuration=\"(?<duration>[^\"]+)\""
| eval Time=strptime(Date, "%d/%m/%Y %H:%M")
| eval {name}='duration'
| fields - name duration
| stats values(*) as * by Date
| fieldformat Time=strftime(Date, "%d/%m/%Y")
| table time SIline PrimaryAddress SearchInServicing NavExistingAddresses

please refer the attached actual data available in splunk.

Tags (1)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

It always helps to have a more complete picture! Try this

| makeresults 
| eval _raw="<PerformanceReport>
<SearchCustomer>
<Transaction Name=\"Naviline\" Time=\"02/11/1982 01:25:07:223\" Duration=\"9.034\" />
<Transaction Name=\"SePipeline\" Time=\"02/11/1982 01:25:07:899\" Duration=\"0.662\" />
<Transaction Name=\"NdwIncuse\" Time=\"02/11/1982 01:25:09:553\" Duration=\"1.614\" />
<Transaction Name=\"EnterDetails\" Time=\"02/11/1982 01:25:11:532\" Duration=\"1.916\" />
<Transaction Name=\"SIline\" Time=\"02/11/1982 01:25:12:703\" Duration=\"1.132\" />
<Transaction Name=\"GetWindowIn\" Time=\"02/11/1982 01:25:20:748\" Duration=\"7.957\" />
<Transaction Name=\"PrimaryAddress\" Time=\"02/11/1982 01:25:22:154\" Duration=\"1.375\" />
<Transaction Name=\"WindowingTouch\" Time=\"02/11/1982 01:25:51:674\" Duration=\"1.365\" />
<Transaction Name=\"dailysearch\" Time=\"02/11/1982 01:26:01:908\" Duration=\"10.141\" />
<Transaction Name=\"SearchInServicing\" Time=\"02/11/1982 01:26:03:115\" Duration=\"1.149\" />
<Transaction Name=\"NavExistingAddresses\" Time=\"02/11/1982 01:26:05:060\" Duration=\"1.885\" />
</PerformanceReport>
</SearchCustomer>"


| rex max_match=0 "\<Transaction (?<transaction>.*)\s\/\>"
| mvexpand transaction
| rex field=transaction "Name=\"(?<name>[^\"]+)\"\sTime=\"(?<time>[^\"]+)\"\sDuration=\"(?<duration>[^\"]+)\""
| eval time=strptime(time,"%d/%m/%Y %H:%M")
| eval {name}=duration
| fields - name duration
| stats values(*) as * by time
| fieldformat time=strftime(time,"%d/%m/%Y %H:%M")
| table time SIline PrimaryAddress SearchInServicing NavExistingAddresses

sachdeva_2007
Explorer

like i said earlier your whole query worked properly but when i run only the below code it's not giving me any output.

refer below screenshot.

sachdeva_2007_0-1629733155889.png

 

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Try the lines adding one at a time to see at which point you lose the events

0 Karma

sachdeva_2007
Explorer

when I removed below line from the code i'm getting the header detail but no value against them except the date column. also changed time to Date in the code (refer the attachment)

stats values(*) as * by time

 

index=XXXXX
| rex "Name=\"(?<name>[^\"]+)\"\sTime=\"(?<Date>[^\"]+)\"\sDuration=\"(?<duration>[^\"]+)\""
| eval time=strptime(Date, "%d/%m/%Y")
| eval {name}=duration
| fields - name duration
| fieldformat time=strftime(Date, "%d/%m/%Y")
| table time SIline PrimaryAddress SearchInServicing NavExistingAddresses

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

You don't appear to have included these lines from my example

| rex max_match=0 "\<Transaction (?<transaction>.*)\s\/\>"
| mvexpand transaction
0 Karma

sachdeva_2007
Explorer

it's pulling data but it's scattered the values in multiple row. probably it's bez of 

mvexpand transaction

if we can ignore the seconds from the date that would be great.

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

What is the current SPL you are using?

0 Karma

sachdeva_2007
Explorer

the one you shared

| rex max_match=0 "\<Transaction (?<transaction>.*)\s\/\>"
| mvexpand transaction
| rex field=transaction "Name=\"(?<name>[^\"]+)\"\sTime=\"(?<time>[^\"]+)\"\sDuration=\"(?<duration>[^\"]+)\""
| eval time=strptime(time,"%d/%m/%Y %H:%M")
| eval {name}=duration
| fields - name duration
| stats values(*) as * by time
| fieldformat time=strftime(time,"%d/%m/%Y %H:%M")
| table time SIline PrimaryAddress SearchInServicing NavExistingAddresses

it's coming like this way not remove second and furthers too

 

 

 

sachdeva_2007_1-1629813301431.png

 

0 Karma

sachdeva_2007
Explorer

which I  changed the time to Date.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Your Date has seconds in whereas my time does not - if you are not prepared to show exactly what you are doing, how do you expect me to be able to find the error?

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

If you are using the search I shared, where is the Date field coming from? Can you share the actual search you are using to get these results?

0 Karma

sachdeva_2007
Explorer

output in two lines ideally it should be in one line only

sachdeva_2007_0-1629817829945.png

 

Tags (1)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

This is because the transactions have different times - how do you want to group the transactions - by hour? by date? by event (ignoring the datetime)?

0 Karma

sachdeva_2007
Explorer

by date so that it should be display in one line.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| eval time=strptime(time,"%d/%m/%Y")
Get Updates on the Splunk Community!

Introducing Ingest Actions: Filter, Mask, Route, Repeat

WATCH NOW Ingest Actions (IA) is the best new way to easily filter, mask and route your data in Splunk® ...

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...