Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How can I make my table results in 3s time interva...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
moizmmz
Path Finder
12-06-2018
03:50 PM
Query I am running:
index="dcg-video-eng-live-services-stage" | spath "message.req.originalUrl" | search "message.req.originalUrl"!="/health-check"| spath severity | search severity!=warn|search message.extraLogInfo./api2/asset/get.assets{}.desc!=null()
|table _time message.extraLogInfo./api2/asset/get.assets{}.desc message.extraLogInfo./api2/asset/get.assets{}.duration
| rename message.extraLogInfo./api2/asset/get.assets{}.desc as Channel, message.extraLogInfo./api2/asset/get.assets{}.duration as Duration
|sort -_time
This results in the following table:
https://drive.google.com/open?id=1PaUuxMNy29QYtjzKbc2i0ulGybXXSnL6 (also shown in image)
As shown in the image, the results have varying time intervals.
I want to get the results in the table to be in time intervals of 3s.
How do I go about doing it?
Thanks!
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sdchakraborty
Contributor
12-06-2018
10:19 PM
Hi,
Can you try the below search,
index="dcg-video-eng-live-services-stage" | spath "message.req.originalUrl" | search "message.req.originalUrl"!="/health-check"| spath severity | search severity!=warn|search message.extraLogInfo./api2/asset/get.assets{}.desc!=null()
|table _time message.extraLogInfo./api2/asset/get.assets{}.desc message.extraLogInfo./api2/asset/get.assets{}.duration
| rename message.extraLogInfo./api2/asset/get.assets{}.desc as Channel, message.extraLogInfo./api2/asset/get.assets{}.duration as Duration
|sort -_time
| mvexpand Channel
| mvexpand Duration
| bin span=3s _time
| stats values(Channel) as Channel, values(Duration) as Duration by _time
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sdchakraborty
Contributor
12-06-2018
10:19 PM
Hi,
Can you try the below search,
index="dcg-video-eng-live-services-stage" | spath "message.req.originalUrl" | search "message.req.originalUrl"!="/health-check"| spath severity | search severity!=warn|search message.extraLogInfo./api2/asset/get.assets{}.desc!=null()
|table _time message.extraLogInfo./api2/asset/get.assets{}.desc message.extraLogInfo./api2/asset/get.assets{}.duration
| rename message.extraLogInfo./api2/asset/get.assets{}.desc as Channel, message.extraLogInfo./api2/asset/get.assets{}.duration as Duration
|sort -_time
| mvexpand Channel
| mvexpand Duration
| bin span=3s _time
| stats values(Channel) as Channel, values(Duration) as Duration by _time
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
moizmmz
Path Finder
12-07-2018
09:22 AM
It is giving me the 3s interval. Thanks 🙂
But its also giving me other data I don't want. Sorta combining two mv values
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
moizmmz
Path Finder
12-07-2018
09:27 AM
But on explicitly eliminating that data using '!=', I got what I wanted 🙂
Thank you!!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sdchakraborty
Contributor
12-07-2018
09:26 AM
Cool.please accept it as answer if it is resolved your issue.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
moizmmz
Path Finder
12-07-2018
09:36 AM
Hey..I'm seeing a problem, the time stamp is repeating in some cases
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
moizmmz
Path Finder
12-07-2018
09:51 AM
Never mind, used dedup 😛
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
nagarjuna280
Communicator
12-06-2018
04:42 PM
try adding at the end
| bin _time span=3s | stats values(channel), values(duaration)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
moizmmz
Path Finder
12-06-2018
05:07 PM
Nope.
The results are mv and without a timestamp.
Get Updates on the Splunk Community!
Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA
Join us on Wed, Dec 10. at 10AM PST / 1PM EST for a live webinar and demo with Splunk experts! Discover how ...
.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...
If you’re unfamiliar, .conf is Splunk’s premier event where the Splunk community, customers, partners, and ...
A Season of Skills: New Splunk Courses to Light Up Your Learning Journey
There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...
