Splunk Search

Adding Outputs of a Search to Timechart

_gkollias
SplunkTrust
SplunkTrust

Hi All,

I'd like to add duration and last weeks avg duration values in to timechart to help display time better, however I'm not getting accurate results with what I have. Here is the search without timechart:

index=contract_gateway sourcetype=esb_audit  earliest=@d bp_bp_name=PO 
| stats first(svc_context_name) as svc_context_name, earliest(_time) as _time, latest(_time) as end_time, latest(status) as status, by svc_context_id, bp_context_id 
| eval duration=(end_time-_time)  
| join svc_context_name type=left  [ search index=contract_gateway_summary source=contract_process_summary earliest=-7d@d latest=-6d@d bp_bp_name=PO  
      | stats avg(duration) as prev_week_avg_duration by svc_context_name]  
| where duration>(2*prev_week_avg_duration)  
|  bucket span=10m _time | table _time, duration, prev_week_avg_duration | sort - _time

Increasing bucket span doesn't help either. I know there needs to be something like
...| timechart span=10m max(duration) as current_duration, min(duration) as prev_week_avg_duration, but this isn't working.

Any suggestions would be greatly appreciated

Thanks!

Tags (1)
0 Karma

lguinn2
Legend

This is as close as I can get with the information you have provided....

index=contract_gateway sourcetype=esb_audit  earliest=@d bp_bp_name=PO
| stats first(svc_context_name) as svc_context_name, range(_time) as current_duration, earliest(_time) as timestamp, latest(status) as status, by svc_context_id, bp_context_id 
| bucket timestamp span=10m
| stats avg(current_duration) as current_duration by timestamp svc_context_name
| join svc_context_name type=left [ search index=contract_gateway_summary source=contract_process_summary earliest=-7d@d latest=-6d@d bp_bp_name=PO  
      | stats avg(duration) as prev_week_avg_duration by svc_context_name ]  
| table svc_context_name timestamp current_duration prev_week_avg_duration
0 Karma

_gkollias
SplunkTrust
SplunkTrust

Sorry, I really appreciate the help, but this also doesn't work. The actual durations are off...there has to be a way! 🙂

0 Karma

_gkollias
SplunkTrust
SplunkTrust

There are only two variables, and that is the duration and prev_week_avg_duration. Time is automatically added by the timechart.

0 Karma

lguinn2
Legend

You can't have that many variables on a timechart - you only have 3 to work with:

X axis - time
Y axis - duration (in seconds, I suppose)
multiple lines based on a third variable - which one?

0 Karma

_gkollias
SplunkTrust
SplunkTrust

Sorry for the confusion. So what I am doing here is calculating duration of orders from today that are greater than the avg duration of orders from last week. So I am trying to add 'duration' and 'prev_week_avg_duration' to a line graph via timechart. Please let me know if that helps. Thank you

0 Karma

lguinn2
Legend

I tried to figure out an answer to this, but I got very confused about what you actually want to see on the timechart.

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!