Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Can you help me combine 2 queries into a timechart?

cindywee
New Member
‎11-28-2018 10:45 PM

Hi all,

I have the following data and I need some help to progress further.

I have fields: _time uniqueId action user host

The events are paired. Both events share the same uniqueId, user and host, and each will have an "action" which is "action connect" or "action disconnect".

I am trying to create a single 5mins span timechart, showing number of "paired events" and the average duration for that 5 mins.

I am able to do that with separate queries but I am unable to join them into one, or find a better query.

index=myindex action=\*action*
| stats min(_time) as Start, max(_time) as End, by uniqueId user host
 | eval Duration = tostring((End - Start), "duration") 
| eval Start_time=strftime(Start,"%F %T") 
| eval End_time=strftime(End,"%F %T") 
| where Duration!="00:00:00"
| table uniqueId user host Start_time End_time Duration

index=myindex action=\*action*
|bin _time span=5m 
| stats count(uniqueId) as Sessions by _time

Thanks

0 Karma
Reply

woodcock
Esteemed Legend
‎12-09-2018 11:14 PM

Try this:

index=myindex action=\*action*
| stats min(_time) AS _time range(_time) AS duration BY uniqueId user host
| search duration>0    
| timechart span=5m dc(uniqueId) AS Sessions avg(duration) as avgDuration
0 Karma
Reply

stuartidelta01
Path Finder
‎12-05-2018 11:38 AM

(1) You need to carry forward _time from your stats command if you plan to use a timechart afterwards - in the example below I use "earliest(_time) as _time" to achieve this - this associates the event with the time it started

(2) Use range(_time) to calculate a duration 

index=myindex action=\*action*
|stats earliest(_time) as _time range(_time) as duration by uniqueId user host
|timechart span=5m avg(duration) as avgDuration dc(uniqeId) as Sessions

You will probably then find that the two series on the timechart operate on different scales - use the overlay control in the timechart to allow one of the series to be represented differently. e.g. set the timechart to an area chart and then use overlay controls to set the pairedEvents series to be a line on that chart. Click on the option to allow it to have it's own scale, which will appear on the right hand side of the chart.

You may want to create a new field called durationMS and use that instead for a nicer output, e.g.

eval durationMS = duration * 1000

then avg(durationMS) in the timechart

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...