Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Can you help me combine 2 queries into a timechart?

cindywee
New Member
‎11-28-2018 10:45 PM

Hi all,

I have the following data and I need some help to progress further.

I have fields: _time uniqueId action user host

The events are paired. Both events share the same uniqueId, user and host, and each will have an "action" which is "action connect" or "action disconnect".

I am trying to create a single 5mins span timechart, showing number of "paired events" and the average duration for that 5 mins.

I am able to do that with separate queries but I am unable to join them into one, or find a better query.

index=myindex action=\*action*
| stats min(_time) as Start, max(_time) as End, by uniqueId user host
 | eval Duration = tostring((End - Start), "duration") 
| eval Start_time=strftime(Start,"%F %T") 
| eval End_time=strftime(End,"%F %T") 
| where Duration!="00:00:00"
| table uniqueId user host Start_time End_time Duration

index=myindex action=\*action*
|bin _time span=5m 
| stats count(uniqueId) as Sessions by _time

Thanks

0 Karma
Reply

woodcock
Esteemed Legend
‎12-09-2018 11:14 PM

Try this:

index=myindex action=\*action*
| stats min(_time) AS _time range(_time) AS duration BY uniqueId user host
| search duration>0    
| timechart span=5m dc(uniqueId) AS Sessions avg(duration) as avgDuration
0 Karma
Reply

stuartidelta01
Path Finder
‎12-05-2018 11:38 AM

(1) You need to carry forward _time from your stats command if you plan to use a timechart afterwards - in the example below I use "earliest(_time) as _time" to achieve this - this associates the event with the time it started

(2) Use range(_time) to calculate a duration 

index=myindex action=\*action*
|stats earliest(_time) as _time range(_time) as duration by uniqueId user host
|timechart span=5m avg(duration) as avgDuration dc(uniqeId) as Sessions

You will probably then find that the two series on the timechart operate on different scales - use the overlay control in the timechart to allow one of the series to be represented differently. e.g. set the timechart to an area chart and then use overlay controls to set the pairedEvents series to be a line on that chart. Click on the option to allow it to have it's own scale, which will appear on the right hand side of the chart.

You may want to create a new field called durationMS and use that instead for a nicer output, e.g.

eval durationMS = duration * 1000

then avg(durationMS) in the timechart

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...