Splunk Dev
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Timechart - map data over same interval everyday

deepak02
Path Finder
‎10-06-2017 08:23 AM

Hi,

I have a requirement to timechart data over the same time everyday for the past one month.

E.g.: Maximum responseTime between 9 and 10 everyday for the past month.

Query to construct timechart is:

host=host1-vm1-dev.abp.com OR host=host2-vm1-dev.abp.com date_hour=9 | timechart max(responseTime)

How do I modify this search such that the timechart displays values only between 9 and 10 (and not the whole day) everyday?
Sample chart given below.

Thanks,
Deepak

alt text

Tags (1)
Preview file
1 KB
0 Karma
Reply

cmerriman
Super Champion
‎10-06-2017 08:54 AM

i see you're already limiting date_hour=9 so the data you're pulling is only from the 9AM hour (9-10 AM) every day, and not the whole day. Timechart will display the dates on the axis, not the date/hour. Timechart, also, will make the time continuous, if you don't specify a span. 

|timechart span=1d max(responseTime)

will group it into one day buckets, though it won't display the hour.

Reply

deepak02
Path Finder
‎10-06-2017 09:16 AM

Thankyou.

I would like to display the time and value on the graph.
For instance, if the maximum duration for Oct 5 is 2214 at 09:30:51.225, I would like the data point to read (Oct 5 09:30:51 - 2214).

The idea is I want to study what is the trend of responseTime everyday. I am supposed to reduce it below 1000 ms, and I need to know how much of the transactions are taking more than 1000 ms.

0 Karma
Reply

cmerriman
Super Champion
‎10-06-2017 10:05 AM

try this, instead:

host=host1-vm1-dev.abp.com OR host=host2-vm1-dev.abp.com date_hour=9 
|timechart max(responseTime) span=5m cont=f
|timewrap 1d

change the span in timechart to your liking, i put it to bucket every 5 minutes.

you can remove the timewrap if you want. that'll display a line per day, which might get hard to read.

0 Karma
Reply

DalJeanis
Legend
‎10-06-2017 09:14 AM

If you really WANT the hour displayed, you could try something like this...

host=host1-vm1-dev.abp.com OR host=host2-vm1-dev.abp.com date_hour=9 
| bin _time span=1h
| timechart span=1h max(responseTime) cont=f

But the axis labels in timechart are a bit unpredictable.

0 Karma
Reply
Get Updates on the Splunk Community!

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

Register Join this Tech Talk to learn how unique features like Service Centric Views, Tag Spotlight, and ...