Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to create a time series from a log file?

amdosh
Explorer
‎06-14-2022 02:46 PM

I have a log file with a unique identifier (requestid) for a sequence of events. I want to show a breakup of all events within the requestid. I plan to show that by "marking" the start and stop logs of different events (based on the specific log message) I plan to track and finally create some table like this:

06/14/22 12:35:03.022 requestid=1requestid1 started
06/14/22 12:36:03.022 requestid=1 Event1 started
06/14/22 1237:03.022 requestid=1Event2 started
06/14/22 12:38:03.022 requestid=1 Event2 ended
06/14/22 12:39:03.022 requestid=1 Event1 ended
06/14/22 12:40:03.022 requestid=1requestid1 ended

Event      | Start Time                              | Duration
------------------------------------
Event1| 06/14/22 12:36:03.022.     |  180
Event2| 06/14/22 12:37:03.022.     |  60

The timeseries will be across the duration of the requestid transaction of 5 mins. Could you let me know how this can be achieved? Thanks!

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

amdosh
Explorer
‎06-14-2022 03:11 PM

I think the best solution for me would be to modify the logs to have something like below and use transaction on the new tracker field.

06/14/22 12:35:03.022 requestid=1 requestid1 started
06/14/22 12:36:03.022 requestid=1 tracker=Event1 started
06/14/22 1237:03.022 requestid=1 tracker=Event2 started
06/14/22 12:38:03.022 requestid=1 tracker=Event2 ended
06/14/22 12:39:03.022 requestid=1 tracker=Event1 ended
06/14/22 12:40:03.022 requestid=1 tracker=requestid1 ended

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

amdosh
Explorer
‎06-14-2022 03:11 PM

I think the best solution for me would be to modify the logs to have something like below and use transaction on the new tracker field.

06/14/22 12:35:03.022 requestid=1 requestid1 started
06/14/22 12:36:03.022 requestid=1 tracker=Event1 started
06/14/22 1237:03.022 requestid=1 tracker=Event2 started
06/14/22 12:38:03.022 requestid=1 tracker=Event2 ended
06/14/22 12:39:03.022 requestid=1 tracker=Event1 ended
06/14/22 12:40:03.022 requestid=1 tracker=requestid1 ended

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...