Splunk Search

Adding Outputs of a Search to Timechart

_gkollias
Builder

Hi All,

I'd like to add duration and last weeks avg duration values in to timechart to help display time better, however I'm not getting accurate results with what I have. Here is the search without timechart:

index=contract_gateway sourcetype=esb_audit  earliest=@d bp_bp_name=PO 
| stats first(svc_context_name) as svc_context_name, earliest(_time) as _time, latest(_time) as end_time, latest(status) as status, by svc_context_id, bp_context_id 
| eval duration=(end_time-_time)  
| join svc_context_name type=left  [ search index=contract_gateway_summary source=contract_process_summary earliest=-7d@d latest=-6d@d bp_bp_name=PO  
      | stats avg(duration) as prev_week_avg_duration by svc_context_name]  
| where duration>(2*prev_week_avg_duration)  
|  bucket span=10m _time | table _time, duration, prev_week_avg_duration | sort - _time

Increasing bucket span doesn't help either. I know there needs to be something like
...| timechart span=10m max(duration) as current_duration, min(duration) as prev_week_avg_duration, but this isn't working.

Any suggestions would be greatly appreciated

Thanks!

Tags (1)
0 Karma

lguinn2
Legend

This is as close as I can get with the information you have provided....

index=contract_gateway sourcetype=esb_audit  earliest=@d bp_bp_name=PO
| stats first(svc_context_name) as svc_context_name, range(_time) as current_duration, earliest(_time) as timestamp, latest(status) as status, by svc_context_id, bp_context_id 
| bucket timestamp span=10m
| stats avg(current_duration) as current_duration by timestamp svc_context_name
| join svc_context_name type=left [ search index=contract_gateway_summary source=contract_process_summary earliest=-7d@d latest=-6d@d bp_bp_name=PO  
      | stats avg(duration) as prev_week_avg_duration by svc_context_name ]  
| table svc_context_name timestamp current_duration prev_week_avg_duration
0 Karma

_gkollias
Builder

Sorry, I really appreciate the help, but this also doesn't work. The actual durations are off...there has to be a way! 🙂

0 Karma

_gkollias
Builder

There are only two variables, and that is the duration and prev_week_avg_duration. Time is automatically added by the timechart.

0 Karma

lguinn2
Legend

You can't have that many variables on a timechart - you only have 3 to work with:

X axis - time
Y axis - duration (in seconds, I suppose)
multiple lines based on a third variable - which one?

0 Karma

_gkollias
Builder

Sorry for the confusion. So what I am doing here is calculating duration of orders from today that are greater than the avg duration of orders from last week. So I am trying to add 'duration' and 'prev_week_avg_duration' to a line graph via timechart. Please let me know if that helps. Thank you

0 Karma

lguinn2
Legend

I tried to figure out an answer to this, but I got very confused about what you actually want to see on the timechart.

0 Karma
Get Updates on the Splunk Community!

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

Register Join this Tech Talk to learn how unique features like Service Centric Views, Tag Spotlight, and ...