Splunk Search

How can I make my table results in 3s time intervals?

moizmmz
Path Finder

Query I am running:

index="dcg-video-eng-live-services-stage" | spath "message.req.originalUrl" | search "message.req.originalUrl"!="/health-check"| spath severity | search severity!=warn|search message.extraLogInfo./api2/asset/get.assets{}.desc!=null() 
|table _time message.extraLogInfo./api2/asset/get.assets{}.desc message.extraLogInfo./api2/asset/get.assets{}.duration
| rename  message.extraLogInfo./api2/asset/get.assets{}.desc as Channel, message.extraLogInfo./api2/asset/get.assets{}.duration as Duration
|sort -_time

This results in the following table:

https://drive.google.com/open?id=1PaUuxMNy29QYtjzKbc2i0ulGybXXSnL6 (also shown in image)

As shown in the image, the results have varying time intervals.
I want to get the results in the table to be in time intervals of 3s.

How do I go about doing it?

Thanks!

Tags (2)
0 Karma
1 Solution

sdchakraborty
Contributor

Hi,

Can you try the below search,

index="dcg-video-eng-live-services-stage" | spath "message.req.originalUrl" | search "message.req.originalUrl"!="/health-check"| spath severity | search severity!=warn|search message.extraLogInfo./api2/asset/get.assets{}.desc!=null() 
 |table _time message.extraLogInfo./api2/asset/get.assets{}.desc message.extraLogInfo./api2/asset/get.assets{}.duration
 | rename  message.extraLogInfo./api2/asset/get.assets{}.desc as Channel, message.extraLogInfo./api2/asset/get.assets{}.duration as Duration
 |sort -_time
 |  mvexpand Channel
| mvexpand Duration
|  bin span=3s _time
|  stats values(Channel) as Channel, values(Duration) as Duration by _time

View solution in original post

0 Karma

sdchakraborty
Contributor

Hi,

Can you try the below search,

index="dcg-video-eng-live-services-stage" | spath "message.req.originalUrl" | search "message.req.originalUrl"!="/health-check"| spath severity | search severity!=warn|search message.extraLogInfo./api2/asset/get.assets{}.desc!=null() 
 |table _time message.extraLogInfo./api2/asset/get.assets{}.desc message.extraLogInfo./api2/asset/get.assets{}.duration
 | rename  message.extraLogInfo./api2/asset/get.assets{}.desc as Channel, message.extraLogInfo./api2/asset/get.assets{}.duration as Duration
 |sort -_time
 |  mvexpand Channel
| mvexpand Duration
|  bin span=3s _time
|  stats values(Channel) as Channel, values(Duration) as Duration by _time
0 Karma

moizmmz
Path Finder

It is giving me the 3s interval. Thanks :slightly_smiling_face:

But its also giving me other data I don't want. Sorta combining two mv values

0 Karma

moizmmz
Path Finder

But on explicitly eliminating that data using '!=', I got what I wanted :slightly_smiling_face:

Thank you!!

0 Karma

sdchakraborty
Contributor

Cool.please accept it as answer if it is resolved your issue.

0 Karma

moizmmz
Path Finder

Hey..I'm seeing a problem, the time stamp is repeating in some cases

0 Karma

moizmmz
Path Finder

Never mind, used dedup :face_with_tongue:

0 Karma

nagarjuna280
Communicator

try adding at the end

| bin _time span=3s | stats values(channel), values(duaration)

0 Karma

moizmmz
Path Finder

Nope.
The results are mv and without a timestamp.

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...