Hi, I'm working on speeding up searches that I initially wrote using the transaction command.
A transaction is defined in my case as two different timestamped events (each event has 2 data lines). I want to get the average transaction time of all transactions occurring in a 10min period, which I can do with this:
<data> | transaction transID maxevents=2 | timechart span=10m avg(duration)
I'm attempting to avoid the transaction command in order to use auto-acceleration and speed-up execution time. My best attempt so far is the following (based on the Splunk doc example):
<data> | stats min(_time) AS start max(_time) AS end by transID | eval RTT=end-start | eval t=strftime(start, "%m/%d/%y %H:%M:%S") | table t, RTT | chart avg(RTT) by t
which might be a little redundant but gets me the following output:
Timestamp avg(RTT) 11/12/13 11:18:00 0.10945 11/12/13 11:18:01 0.13556
I'd like to somehow chart this over time like the transaction command.
Can someone point me in the right direction? I thought the timechart command could be used if the first column of data is a timestamp but all my combinations of chart/timechart return "No Results Found".
timechart does is roughly this: "
bucket _time | chart somefunction(X) over _time". So it's got nothing to do with what is in the first column -
_time will always be used.
Building on your example you could just switch the last
chart command for
bucket start | chart avg(RTT) over start by t if you want to get results over time.
Thanks so much!
Between this advice and your comments on this thread about time format conversion: http://answers.splunk.com/answers/52806/string-to-time-and-then-timechart I have exactly what I need. I'll put my search query below for others to learn from.
| stats min(time) AS start max(time) AS end by transID | eval RTT=end-start | eval _time=start | timechart avg(RTT)
The key is to set the implicit _time field to be my calculated time field (called start). Then timechart works correctly. The bucketing idea works as well, but this is more concise.