Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to create a chart that calculates the time tak...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mm977g
Explorer
08-26-2015
11:49 AM
Given the below log file, I need to create a chart that shows the time taken for a given step. The time is a summation of the count of steps * 15 seconds within a process instance. So for the example log below there are two process instances (2255130 & 2255800) and within each instance there are entries in the log for steps. In instance 2255130, there are two entries for the Step04 identifier and in instance 2255800 there is one entry for None (as the step identifier) and thee entries for the Step01 identifier. Those would translate to:
2255130.Step04 = 2 entries * 15 seconds graphed by day
2255800.None = 1 entry * 15 seconds graphed by day
2255800.Step01 = 3 entries * 15 seconds graphed by day
opt/apps/psft/cs90/P90SCOR/appserv/prcs/P90SCOR/LOGS/AESRV_0825.LOG:PSAESRV.16316 (209) [2015-08-25T20:52:27.499](0) RunAeProgAsync status -- Application ID=SAD_TEST_PST Status=Running Process Instance=2255130 Current Step=SAD_TEST_PST.Process.Step04
/opt/apps/psft/cs90/P90SCOR/appserv/prcs/P90SCOR/LOGS/AESRV_0825.LOG:PSAESRV.16316 (209) [2015-08-25T20:52:42.506](0) RunAeProgAsync status -- Application ID=SAD_TEST_PST Status=Running Process Instance=2255130 Current Step=SAD_TEST_PST.Process.Step04
/opt/apps/psft/cs90/P90SCOR/appserv/prcs/P90SCOR/LOGS/AESRV_0825.LOG:PSAESRV.16316 (209) [2015-08-25T20:52:54.969](3) RunAeAsync service request completed successfully -- Application ID=SAD_TEST_PST Process Instance=2255130
/opt/apps/psft/cs90/P90SCOR/appserv/prcs/P90SCOR/LOGS/AESRV_0825.LOG:PSAESRV.16316 (209) [2015-08-25T20:52:57.533](0) RunAeProgAsync status -- Application ID=SAD_TEST_PST Status=Success Process Instance=2255130 Current Step=None
/opt/apps/psft/cs90/P90SCOR/appserv/prcs/P90SCOR/LOGS/AESRV_0826.LOG:PSAESRV.16325 (414) [2015-08-26T11:12:54.558](3) RunAeAsync service request started -- Application ID=SAD_TEST_PST Run Control ID=EOS-SM336 Process Instance=2255800
/opt/apps/psft/cs90/P90SCOR/appserv/prcs/P90SCOR/LOGS/AESRV_0826.LOG:PSAESRV.16325 (414) [2015-08-26T11:13:09.577](0) RunAeProgAsync status -- Application ID=SAD_TEST_PST Status=Running Process Instance=2255800 Current Step=SAD_CRT_PGM.LastSchl.Step01
/opt/apps/psft/cs90/P90SCOR/appserv/prcs/P90SCOR/LOGS/AESRV_0826.LOG:PSAESRV.16325 (414) [2015-08-26T11:13:24.586](0) RunAeProgAsync status -- Application ID=SAD_TEST_PST Status=Running Process Instance=2255800 Current Step=SAD_3CS_LIB.3Cs.?
/opt/apps/psft/cs90/P90SCOR/appserv/prcs/P90SCOR/LOGS/AESRV_0826.LOG:PSAESRV.16325 (414) [2015-08-26T11:13:39.612](0) RunAeProgAsync status -- Application ID=SAD_TEST_PST Status=Running Process Instance=2255800 Current Step=SAD_TEST_PST.SrchMtch.Step01
/opt/apps/psft/cs90/P90SCOR/appserv/prcs/P90SCOR/LOGS/AESRV_0826.LOG:PSAESRV.16325 (414) [2015-08-26T11:13:54.623](0) RunAeProgAsync status -- Application ID=SAD_TEST_PST Status=Running Process Instance=2255800 Current Step=SAD_CRT_PGM.LastSchl.Step01
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
08-26-2015
01:00 PM
Assuming you already have a field Instance and Step extracted, try something like this
your base search | stats count by Instance Step | eval Duration=count*15
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
08-26-2015
01:00 PM
Assuming you already have a field Instance and Step extracted, try something like this
your base search | stats count by Instance Step | eval Duration=count*15
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mm977g
Explorer
08-27-2015
08:20 AM
The answer provided showed the right direction to go to resolve this. Thanks
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Get Updates on the Splunk Community!
Community Content Calendar, September edition
Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...
Splunkbase Unveils New App Listing Management Public Preview
Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...
Leveraging Automated Threat Analysis Across the Splunk Ecosystem
Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...
