Im trying to convert the milliseconds on the y axis to seconds, TM is the field that has the milliseconds. (TM field has been changed to requestTime using regex)
host=<hostname> index=<index name> sourcetype="sourcetype name>" SP="8*" | rex field=_raw "TM=(?<requestTime>\d+)" | dedup requestTime | timechart span=1h distinct_count(requestTime) by SP useother=false | eval warning = 10000
I tried the below search, but it didn't work
... | search requestTime | eval newtime=round('requestTime'/1000)
Hi @Jewatson17,
What you are trying is distinct_count
which function will just return the distinct count of values of requestTime. If you just want count then it doesn't matter weather that is in milliseconds or in seconds. I think you should try other functions like avg
or sum
. In that case you can convert milliseconds into seconds, try below query (where I've used avg function but you can use anything else).
host=<hostname> index=<index name> sourcetype="sourcetype name>" SP="8*" | rex field=_raw "TM=(?<requestTime>\d+)" | timechart span=1h eval(avg(requestTime)/1000) by SP useother=false | eval warning = 10000
Hopefully this helps, correct me if I understand your requirement incorrectly.
I suspect what you're seeing on the y axis is the unique count of times a specific requestTime was seen.
If you change your query from:
timechart span=1h distinct_count(requestTime) by SP useother=false
To:
stats distinct_count(requestTime) by SP
We should see a count of distinct values... so for example if requestTime had five cases where it was 2300 ms and 10 cases where it was 2500 ms then distinct_count would be 2. I don't think this is what you're looking for.
Instead, maybe try something like the following:
host=<hostname> index=<index name> sourcetype="sourcetype name>" SP="8*"
| rex field=_raw "TM=(?<requestTime>\d+)"
| eval reqtimesec = round(requestTime/1000, 2)
| timechart span=1h max(reqtimesec) as maxt, min(reqtimesec) as mint, avg(reqtimesec) as avgt by SP useother=false
| eval warning=10
This will give you the average, max time, and min time of a specific SP (which looks a lot like SSO data to me :-D)
Hope that helps!