Solved: Re: Field results

katouoma · ‎04-06-2018

Hi everyone,
I'm new in Splunk and I want some help from you (please).

Here is an image to explain what i'm trying to do:

For the field6 i have (for example) one code with 4 results in field5 with their time in field2. So i want to calculate the time (field2) for each 2 results of one code (qr.webservice.server.operation.response qr.webservice.server.operation.request) and (qr.ctg.GE01.response qr.ctg.GE01.request).

Here is what i've done until now:
sourcetype="bigdata:pf:itoa:frontend:java:qr" host=S00VA9939084
field5="qr*" AND field5!="qr.clientsweetdev.person.context" AND field6="H*"
| table field6 , field5 , field2

Thank you

mayurr98 · ‎04-06-2018

Hey

try this [TESTED]

<your query so far>| table field6 , field5 , field2 
|  rex field=field5 "qr\.(?<new>[^\.]+)" | eval field2=strptime(field2,"%H:%M:%S,%3Q")  | stats min(field2) as request,max(field2) as response by field6 ,new 
|  eval dur=response-request 
|  chart values(dur) over field6 by new

This will give result in seconds you may convert it according your need to minute or hour in |eval dur= using conversion logic
let me know if this helps!

View solution in original post

katouoma · ‎04-10-2018

I'm trying to send an email to alert my manager if XEROX or SICLID is greater than 2s, but he didn't receive anything so i think i made a mistake in the trigger condition:

katouoma · ‎04-09-2018

Thank you @mayurr98, this is exactly what i'm looking for.

However, i want to alert for example my manager if ctg or webservice is greater than 3s, he will receive an email with the line concerned.

mayurr98 · ‎04-09-2018

Yes you can rename it using rename command.also if you want to add any condition then you can do something like this

| rename webservice as WebService ctg as CTG | where WebService>3 OR CTG>3

Append this at the end of the search

mayurr98 · ‎04-06-2018

Hey

try this [TESTED]

<your query so far>| table field6 , field5 , field2 
|  rex field=field5 "qr\.(?<new>[^\.]+)" | eval field2=strptime(field2,"%H:%M:%S,%3Q")  | stats min(field2) as request,max(field2) as response by field6 ,new 
|  eval dur=response-request 
|  chart values(dur) over field6 by new

This will give result in seconds you may convert it according your need to minute or hour in |eval dur= using conversion logic
let me know if this helps!

HiroshiSatoh · ‎04-06-2018

Try this!

･･･
| table field6 , field5 , field2
| eval  field5=rtrim(field5,".response"),field5=rtrim(field5,".request")
| stats min(field2) as start,max(field2) as end by field6 ,field5
| eval dur=strptime(end,"%H:%M:%S,%3Q")-strptime(start,"%H:%M:%S,%3Q")
| table field6 , field5 , dur

katouoma · ‎04-09-2018

Thanks a lot for your response, the result looks like the seconde table 😄 Perfect

katouoma · ‎04-06-2018

I want to calculate the duration between:
- qr.webservice.server.operation.response & qr.webservice.server.operation.request
- qr.ctg.GE01.response & qr.ctg.GE01.request
Here is an example:

I don't know if it's possible !

Or even like this:

mayurr98 · ‎04-06-2018

What do you want to calculate exactly? It would be better if give us the expected output table as well for input table.

Field results

Index This | I’m short for "configuration file.” What am I?

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Your Guide to SPL2 at .conf24!