Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Help tracking average completion time of a process in Splunk

mateofrito
New Member
‎10-01-2019 12:04 PM

Below I have sample data from a process that Blue Prism outputs during each event in a process. I am trying to create a time chart that tracks how long it takes each process to run. What I need is some sort of chart that has different colored lines for each process. However, I cannot quite get that to work.

   currprocessid: a2672568-5faf-4ebe-a3d8-d16542fb7a96
   currprocessname: Auto Payoff
   currprocesstype: 0
   eventId: endProcess
   mainprocessid: a2672568-5faf-4ebe-a3d8-d16542fb7a96
   mainprocessname: Auto Payoff
   pageid: 00000000-0000-0000-0000-000000000000
   pagename: Main Page
   resourceName: computer1
   sessionNumber: 110995
   sessionid: 8dce2381-0db4-4e69-a15e-0b84091ee489
   stageid: 47648a05-b3e4-452d-a374-c6f156abc86c
   stagename: End2
   when: 2019-10-01T11:56:56.1005506Z

This is the search I have:

index="rpa"  | stats earliest(_time) AS earliest latest(_time) AS latest BY sessionid  | eval duration = tostring((latest-earliest), "duration")

This is obviously not correct as it's not populating the data properly.

The Y-axis would have the time in minutes, while the X-axis would be by date. The lines in the graph would be by the average sessionid completion time by mainprocessname.

I hope this makes sense.

0 Karma
Reply

cmerriman
Super Champion
‎10-01-2019 05:51 PM

as a fun note, you can use range to calculate duration. It will not format it, but in a chart, you will need it as a number, not a string.

you also mention you want this by date, which I don't see in the query provided.

something to get you started might be:

index=rpa
|stats range(_time) as duration max(_time) as _time by sessionId
|eval duration_min=round(duration/60,2)
|timechart avg(duration_min) as avg_duration_min by sessionId
0 Karma
Reply

mateofrito
New Member
‎10-01-2019 07:02 PM

Thank you, I’ll give this a try tomorrow.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...