I have the following Splunk search, which returns a count of service calls taking over 20,000 milliseconds, and I want to break this number down into a daily count over the last month:
index=xyz | rex field=_raw "Response Time : (?.\d+) for UpdateSession call." | stats count by MILLIS | search MILLIS > 20000 | stats sum(count)
I have tried to accomplish this with the "timechart" command, but so far I have been unsuccessful. Can someone please tell me how to do this?
Thanks!
Jonathan
Your initial search is doing unnecessary work. It could be this simple...
index=xyz
| rex field=_raw "Response Time : (?<MILLIS>.\d+) for UpdateSession call."
| search MILLIS > 20000
| stats count as CountOver20K
Here's how to add the date...
index=xyz
| rex field=_raw "Response Time : (?<MILLIS>.\d+) for UpdateSession call."
| search MILLIS > 20000
| bin _time span=1d
| stats count as CountOver20K by _time
or the last two could be combined this way
index=xyz
| rex field=_raw "Response Time : (?<MILLIS>.\d+) for UpdateSession call."
| search MILLIS > 20000
| timechart span=1d count as CountOver20K
By the way, be sure to mark your code as code so the interface doesn't strip out the html-like parts in angle brackets. <MILLIS>
Try like this
index=xyz earliest=-1mon@mon latest=@mon | rex field=_raw "Response Time : (?<MILLIS>.\d+) for UpdateSession call." | search MILLIS > 20000 | timechart span=1d count
Please note that I've added earliest and latest value in base search to show results for last month (jun 2017 considering today is Jul 5th). You can update earliest/latest per your need or remove and use timerange picker to specify time-range.
try below
| rex field=_raw "Response Time : (?<MILLIS>\d+) for UpdateSession call." | search MILLIS > 2000 | timechart span=1h count by MILLIS
I hope this will help you
@sbbadri - The last command will chart the count
broken out by each particular value of MILLIS
, which since they are the duration of the response time, are likely to all be unique values, just a few random dots on the timechart. However, that could be a useful strategy if you binned the MILLIS, for example in 5000 ms chunks, which might give you an idea just exactly how long the delays were in any given time period.
Your initial search is doing unnecessary work. It could be this simple...
index=xyz
| rex field=_raw "Response Time : (?<MILLIS>.\d+) for UpdateSession call."
| search MILLIS > 20000
| stats count as CountOver20K
Here's how to add the date...
index=xyz
| rex field=_raw "Response Time : (?<MILLIS>.\d+) for UpdateSession call."
| search MILLIS > 20000
| bin _time span=1d
| stats count as CountOver20K by _time
or the last two could be combined this way
index=xyz
| rex field=_raw "Response Time : (?<MILLIS>.\d+) for UpdateSession call."
| search MILLIS > 20000
| timechart span=1d count as CountOver20K
By the way, be sure to mark your code as code so the interface doesn't strip out the html-like parts in angle brackets. <MILLIS>
This is fantastic! Thank you!
The suggestion by sbbadri reminded me that you might like to actually know how long the responses took, so this groups them by 5000 ms increments...
index=xyz
| rex field=_raw "Response Time : (?<MILLIS>.\d+) for UpdateSession call."
| bin _time span=1d
| eval MsRange = 5000*if(MILLIS<20000,0,floor(MILLIS/5000))
| where MsRange > 0
| timechart span=1d count as CountInRange by MsRange
You could leave in the 0-19999 ms range and color them appropriately to see what's happening at all levels.
Response time is likely to be dependent on volume, so you might also want to look at it this way...
index=xyz
| rex field=_raw "Response Time : (?<MILLIS>.\d+) for UpdateSession call."
| bin _time span=1d
| eval Over20K=if(MILLIS>20000,1,0)
| timechart span=1d sum(Over20K) as CountOver20K count as CountTotal
...or this way ...
index=xyz
| rex field=_raw "Response Time : (?<MILLIS>.\d+) for UpdateSession call."
| bin _time span=5m
| eval Over20K=if(MILLIS>20000,1,0)
| stats sum(Over20K) as CountOver20K count as CountTotal by _time
| eval PctOver20K = round(100*CountOver20K/CountTotal,2)
| timechart avg(PctOver20K) as AvgPct max(PctOver20K) as MaxPct span=1d