- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to create a response time graph based on two t...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a field in my logs that looks like this:
Timestamp: 1477292160636560 1217
The first number is time at which the request was received in unix epoch standard. The 2nd number is the response time. I want to use the 2 numbers to make a line graph with the days on the x-axis and the response times on the y-axis so I can see what my response times were throughout a single day, past 7 days, past month, etc.
I wrote this search but I'm missing a few pieces to make the line chart:
* | rex field=_raw "Timestamp:\s(?<request_time>\d+)\s(?<response_time>\d+)" | timechart count by response_time
What am I missing?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Since you are interested in making the line chart of response_time over the epoch time request_time that you extract, hence how about you assign this epoch time request_time to _time and then do the timechart on the avg(response_time). Something like:
your query to return events earliest=@d
| rex field=_raw "Timestamp:\s(?<request_time>\d+)\s(?<response_time>\d+)"
| eval _time=request_time
| timechart avg(response_time) span=5m
Change span=5m accordingly to what you want and accrodinglt adjust the earliest=@d to -7d@d and so on. Leave out span=5m if you want timechart to automatically adjust the span for you.
Also explore min(response_time), max(response_time) etc in the timechart command.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How many entries will be there per day? Do you want to plot avg response time by day or similar?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Since you are interested in making the line chart of response_time over the epoch time request_time that you extract, hence how about you assign this epoch time request_time to _time and then do the timechart on the avg(response_time). Something like:
your query to return events earliest=@d
| rex field=_raw "Timestamp:\s(?<request_time>\d+)\s(?<response_time>\d+)"
| eval _time=request_time
| timechart avg(response_time) span=5m
Change span=5m accordingly to what you want and accrodinglt adjust the earliest=@d to -7d@d and so on. Leave out span=5m if you want timechart to automatically adjust the span for you.
Also explore min(response_time), max(response_time) etc in the timechart command.
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics!
New in Observability Cloud - Explicit Bucket Histograms
