Splunk Search



処理時間を表すグラフを作っており、Y軸を "HH:MM:SS"形式にする方法がありましたらご教示ください。

Labels (1)
Tags (1)
0 Karma

Path Finder

There is a way to do this.  the first question is: in your data, is the _time field of the event equal to the processing time (処理時間)?

if it is, then you can probably do something like:
|timechart count(something) - this charts x values over y time axis.
| eval _time = strftime(_time, "%H:%M:%S") - this takes the time field and displays just the hours, minutes, and deconds, seperated by ':' symbols.

If the _time field of the event is NOT the same as the Processing Time field, it is a little harder to guess at the answer but should be similiar:
| eval _time = strptime(処理時間, "%H:%M:%S") - this turns the human readable time into computer readable time
|timechart count(something) - this charts x values over y time axis.

If you are able to share a single event i could probably do better:



|timechart count(something) - これはx軸を時間軸に沿ってチャート化します。
| eval _time = strftime(_time, "%H:%M:%S") - これにより、時間フィールドが、時、分、秒で表示されます。

| eval _time = strptime(処理時間, "%H:%M:%S") - これにより、人間が読み取れる時間がコンピュータが読み取れる時間に変換されます。
|timechart count(something) - これはx軸を時間軸に沿ってチャート化します。


Translated by ChatGPT.

0 Karma



>There is a way to do this. the first question is: in your data, is the _time field of the event equal to the processing time (処理時間)?



| makeresults
| eval _raw="baseDate,start,end,procTime
2023/05/01,2023/05/01 09:00:14,2023/05/01 09:03:17,183
2023/05/01,2023/05/01 09:03:17,2023/05/01 09:04:57,100
2023/05/01,2023/05/01 09:04:57,2023/05/01 09:08:48,231
2023/05/02,2023/05/02 09:00:11,2023/05/02 09:03:18,187
2023/05/02,2023/05/02 09:03:18,2023/05/02 09:05:31,133
2023/05/02,2023/05/02 09:05:31,2023/05/02 09:09:14,223
| multikv forceheader=1
| chart sum(procTiem) as pTime by baseDate

というデータに対して、Y軸となる pTime を "HH:MM:SS"形式にしたいです。


[English translation by Google translation]
Thank you for your advice.

>There is a way to do this. the first question is: in your data, is the _time field of the event equal to the processing time?

No, it's different.

An example of data is

| makeresults
| eval _raw="baseDate,start,end,procTime
2023/05/01,2023/05/01 09:00:14,2023/05/01 09:03:17,183
2023/05/01,2023/05/01 09:03:17,2023/05/01 09:04:57,100
2023/05/01,2023/05/01 09:04:57,2023/05/01 09:08:48,231
2023/05/02,2023/05/02 09:00:11,2023/05/02 09:03:18,187
2023/05/02,2023/05/02 09:03:18,2023/05/02 09:05:31,133
2023/05/02,2023/05/02 09:05:31,2023/05/02 09:09:14,223
| multikv forceheader=1
| chart sum(procTiem) as pTime by baseDate

For the data, I want to format pTime, which is the Y axis, in "HH:MM:SS" format.

0 Karma

Path Finder

Thank you for the sample data set.  If I am understanding you correctly, all you need is this:
| eval pTimeFull=tostring(pTime, "duration")

the full example looks like this:
| makeresults
| eval _raw="baseDate,start,end,procTime
2023/05/01,2023/05/01 09:00:14,2023/05/01 09:03:17,183
2023/05/01,2023/05/01 09:03:17,2023/05/01 09:04:57,100
2023/05/01,2023/05/01 09:04:57,2023/05/01 09:08:48,231
2023/05/02,2023/05/02 09:00:11,2023/05/02 09:03:18,187
2023/05/02,2023/05/02 09:03:18,2023/05/02 09:05:31,133
2023/05/02,2023/05/02 09:05:31,2023/05/02 09:09:14,223
| multikv forceheader=1
| chart sum(procTime) as pTime by baseDate
| eval pTime=tostring(pTime, "duration")

Splunk has a built in toString method that converts seconds to human readable H:M:S format.

Was that able to solve your issue?

0 Karma



「eval pTime=tostring(pTime, "duration")」を加えますと
しかし、視覚エフェクト(Line ChartやColumn Chart)では

[English translation by Google translation]

Thanks for any further advice.

If you add "eval pTime=tostring(pTime, "duration")"
In the statistics tab, it is output in "HH:MM:SS" format.
But in visualizations (Line Chart and Column Chart)
The Y-axis is not output in "HH:MM:SS" format...

0 Karma

Path Finder

Thank you for sharing that, I understand the problem. However, I have done a reasonably thorough review of the internet and while many people have this same question, I was not able to find anyone who had solved it in a way I could reproduce.

What if we changed minutes to hours? it is not ideal, because you end up with decimal hour units, 8.6 hours etc, but it is more intuitive perhaps than minutes and it is easily possible. You could waste many hours putting together an alternative when this gets you most of the way.

| makeresults

| eval _raw="baseDate,start,end,procTime 2023/05/01,2023/05/01 09:00:14,2023/05/01 09:03:17,183 2023/05/01,2023/05/01 09:03:17,2023/05/01 09:04:57,100 2023/05/01,2023/05/01 09:04:57,2023/05/01 09:08:48,231 2023/05/02,2023/05/02 09:00:11,2023/05/02 09:03:18,187 2023/05/02,2023/05/02 09:03:18,2023/05/02 09:05:31,133 2023/05/02,2023/05/02 09:05:31,2023/05/02 09:09:14,223 "

| multikv forceheader=1

| eval pHours = procTime/60

| chart sum(pHours) as Hours by baseDate

| eval Hours = round(Hours,1)

I am sorry I wasn't able to be of more help. Splunk tempts us with how much it CAN do, but it still has many things it cannot.








Tags (1)
0 Karma
Get Updates on the Splunk Community!

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

Register Join this Tech Talk to learn how unique features like Service Centric Views, Tag Spotlight, and ...