Hi everyone,
I'm new in Splunk and I want some help from you (please).
Here is an image to explain what i'm trying to do:
For the field6 i have (for example) one code with 4 results in field5 with their time in field2. So i want to calculate the time (field2) for each 2 results of one code (qr.webservice.server.operation.response qr.webservice.server.operation.request) and (qr.ctg.GE01.response qr.ctg.GE01.request).
Here is what i've done until now:
sourcetype="bigdata:pf:itoa:frontend:java:qr" host=S00VA9939084
field5="qr*" AND field5!="qr.clientsweetdev.person.context" AND field6="H*"
| table field6 , field5 , field2
Thank you
Hey
try this [TESTED]
<your query so far>| table field6 , field5 , field2
| rex field=field5 "qr\.(?<new>[^\.]+)" | eval field2=strptime(field2,"%H:%M:%S,%3Q") | stats min(field2) as request,max(field2) as response by field6 ,new
| eval dur=response-request
| chart values(dur) over field6 by new
This will give result in seconds you may convert it according your need to minute or hour in |eval dur=
using conversion logic
let me know if this helps!
I'm trying to send an email to alert my manager if XEROX or SICLID is greater than 2s, but he didn't receive anything so i think i made a mistake in the trigger condition:
Thank you @mayurr98, this is exactly what i'm looking for.
However, i want to alert for example my manager if ctg or webservice is greater than 3s, he will receive an email with the line concerned.
Yes you can rename it using rename command.also if you want to add any condition then you can do something like this
| rename webservice as WebService ctg as CTG | where WebService>3 OR CTG>3
Append this at the end of the search
Hey
try this [TESTED]
<your query so far>| table field6 , field5 , field2
| rex field=field5 "qr\.(?<new>[^\.]+)" | eval field2=strptime(field2,"%H:%M:%S,%3Q") | stats min(field2) as request,max(field2) as response by field6 ,new
| eval dur=response-request
| chart values(dur) over field6 by new
This will give result in seconds you may convert it according your need to minute or hour in |eval dur=
using conversion logic
let me know if this helps!
Try this!
・・・
| table field6 , field5 , field2
| eval field5=rtrim(field5,".response"),field5=rtrim(field5,".request")
| stats min(field2) as start,max(field2) as end by field6 ,field5
| eval dur=strptime(end,"%H:%M:%S,%3Q")-strptime(start,"%H:%M:%S,%3Q")
| table field6 , field5 , dur
Thanks a lot for your response, the result looks like the seconde table 😄 Perfect
What do you want to calculate exactly? It would be better if give us the expected output table as well for input table.