Solved: How to chart elapsed time performance data from db...

danoconnl · ‎11-23-2014

I've got a db query that returns an activity name and then the elapsed time of the activity that I would like to chart
date returned is in the following format

Activity timing
a 0:0:33 (hh:m:ss)
b 0:0:54
c 0:1:23
d 0:0:2

but when I give the query to the chart, it only puts the activities on the x axis.
I figure I need to tell the chart that the timing part of the data set is a timespan, I just don't know how to

martin_mueller · ‎11-23-2014

Try this:

base search involving dbquery | rex field=timing "(?<h>\d+):(?<m>\d+):(?<s>\d+)" | eval duration = s + 60 * (m + 60 * h) | chart avg(duration) by Activity

View solution in original post

martin_mueller · ‎11-23-2014

Try this:

base search involving dbquery | rex field=timing "(?<h>\d+):(?<m>\d+):(?<s>\d+)" | eval duration = s + 60 * (m + 60 * h) | chart avg(duration) by Activity

How to chart elapsed time performance data from dbquery?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Automating Threat Operations and Threat Hunting with Recorded Future

Keep the Learning Going with the New Best of .conf Hub

Splunk Community Badges!

Join the Conversation