Splunk Search
Highlighted

How to create a response time graph based on two timestamps?

New Member

I have a field in my logs that looks like this:

Timestamp: 1477292160636560 1217

The first number is time at which the request was received in unix epoch standard. The 2nd number is the response time. I want to use the 2 numbers to make a line graph with the days on the x-axis and the response times on the y-axis so I can see what my response times were throughout a single day, past 7 days, past month, etc.

I wrote this search but I'm missing a few pieces to make the line chart:

* | rex field=_raw "Timestamp:\s(?<request_time>\d+)\s(?<response_time>\d+)" | timechart count by response_time

What am I missing?

0 Karma
Highlighted

Re: How to create a response time graph based on two timestamps?

Motivator

Since you are interested in making the line chart of response_time over the epoch time request_time that you extract, hence how about you assign this epoch time request_time to _time and then do the timechart on the avg(response_time). Something like:

your query to return events earliest=@d
| rex field=_raw "Timestamp:\s(?<request_time>\d+)\s(?<response_time>\d+)" 
| eval _time=request_time
| timechart avg(response_time) span=5m

Change span=5m accordingly to what you want and accrodinglt adjust the earliest=@d to -7d@d and so on. Leave out span=5m if you want timechart to automatically adjust the span for you.

Also explore min(response_time), max(response_time) etc in the timechart command.

View solution in original post

Highlighted

Re: How to create a response time graph based on two timestamps?

SplunkTrust
SplunkTrust

How many entries will be there per day? Do you want to plot avg response time by day or similar?

0 Karma