Splunk Search

How to edit my search to do an eval match and if so, to plot a timechart?

howardroark
Explorer

I am trying to plot a timechart with a the following

index="ABC"  cs_uri_stem = "XYZ"
| timechart eval( if(match(cs_uri_query,"A"),avg(time_taken))) as AvgTime by cs_uri_stem

Basically, I am trying to match a string in a sentence and based on that if its found then take the average time_taken else do nothing.

How can I achieve this?

0 Karma

niketnilay
Legend

@howardroark, if you do nothing in the else block then you are complicating your use case. You can just filter the required events i.e. cs_uri_query="A" in your base search itself (which will also return results faster). Further you do not need by cs_uri_stem since you are anyways filtering to only one record in base search i.e. "XYZ"

 index="ABC" cs_uri_stem="XYZ" cs_uri_query="A"
| timechart avg(time_taken) as AvgTime 
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

howardroark
Explorer

@niketnilay Sure, though its not the complete cs_uri_query that i am interested in. I am interested in a keyword present in the query string. Can I filter out based on that. Say "content" keyword in "type=content&source=%size%" cs_uri_query?

0 Karma

niketnilay
Legend

@howardroark, You can do wildcard search in the base query which should still be faster than an eval later:

  index="ABC" cs_uri_stem="XYZ" cs_uri_query="*content*"
 | timechart avg(time_taken) as AvgTime 
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

niketnilay
Legend

Also you can perform match during stats/timechart command using eval

   index="ABC" cs_uri_stem="XYZ" cs_uri_query="*content*"
  | timechart avg(eval(match(cs_uri_query,"content"))) as AvgTime 

However, avg is depended on number of buckets of time where cs_uri_query matched as expected. So you might have to get count instead of avg and compute avg based on number of buckets instead.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma