Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to display percentages with time duration data in timechart to visualize performance changes?

mcomfurf
Path Finder
‎09-05-2014 03:49 PM

We have an image processing service, and from the service logs I can calculate the duration in seconds of processing time for a given image. When we make hardware or software changes I want to be able to visualize performance changes. It's easy to do a time series of counts, but I've been asked to do so for a percentage instead.

My search to get overall percentages, again fairly easy:

sourcetype="imagelogs"  | eval duration=ceil(duration+(_time-(strptime(lastmodifiedtime,"%Y-%m-%d %H:%M:%S")))) | where duration < 86400  | rangemap field=duration "0-5 min"=0-299 "5-10 min"=300-599 "10-15 min"=600-899 "15-60 min"=900-3599 "60+ min"=3600-9999999  | top limit=5 range showcount=false percentfield=Percentage

The top search command seems to be incompatible with timechart. Do I need to construct a whole series of eval command within the timechart command to replace the rangemap function?

0 Karma
Reply

strive
Influencer
‎09-05-2014 11:06 PM

Try this

Your Base Search with out Top command | stats count as Count count(eval(range="0-5 min")) as Count5min count(eval(range="5-10 min")) as Count10min count(eval(range="10-15 min")) as Count15min count(eval(range="15-60 min")) as Count60min count(eval(range="60+ min")) as Count60Plus by _time | eval Percent5min=Count5min*100/Count | eval Percent10min=Count10min*100/Count | eval Percent15min=Count15min*100/Count | eval Percent60min=Count60min*100/Count | eval Percent60plus=Count60plus*100/Count | timechart partial=false first(Percent5min) as "0-5 min" first(Percent10min) as "5-10 min" first(Percent15min) as "10-15 min" first(Percent60min) as "15-60 min" first(Percent60plus) as "60+ min"

You can add options like span and etc.. to timechart as per your needs

Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...