Splunk Search

How to edit my timechart search to find the daily count of service calls over the last month?

jbrenner
Path Finder

I have the following Splunk search, which returns a count of service calls taking over 20,000 milliseconds, and I want to break this number down into a daily count over the last month:

index=xyz  | rex field=_raw "Response Time : (?.\d+) for UpdateSession call." | stats count by MILLIS | search MILLIS > 20000 | stats sum(count)

I have tried to accomplish this with the "timechart" command, but so far I have been unsuccessful. Can someone please tell me how to do this?

Thanks!
Jonathan

0 Karma
1 Solution

DalJeanis
SplunkTrust
SplunkTrust

Your initial search is doing unnecessary work. It could be this simple...

index=xyz 
| rex field=_raw "Response Time : (?<MILLIS>.\d+) for UpdateSession call." 
| search MILLIS > 20000 
| stats count as CountOver20K

Here's how to add the date...

index=xyz 
| rex field=_raw "Response Time : (?<MILLIS>.\d+) for UpdateSession call." 
| search MILLIS > 20000 
| bin _time span=1d  
| stats count as CountOver20K by _time

or the last two could be combined this way

index=xyz 
| rex field=_raw "Response Time : (?<MILLIS>.\d+) for UpdateSession call." 
| search MILLIS > 20000 
| timechart span=1d count as CountOver20K

By the way, be sure to mark your code as code so the interface doesn't strip out the html-like parts in angle brackets. <MILLIS>

View solution in original post

0 Karma

somesoni2
Revered Legend

Try like this

index=xyz earliest=-1mon@mon latest=@mon | rex field=_raw "Response Time : (?<MILLIS>.\d+) for UpdateSession call." | search MILLIS > 20000 | timechart span=1d count

Please note that I've added earliest and latest value in base search to show results for last month (jun 2017 considering today is Jul 5th). You can update earliest/latest per your need or remove and use timerange picker to specify time-range.

0 Karma

sbbadri
Motivator

try below

| rex field=_raw "Response Time : (?&ltMILLIS&gt\d+) for UpdateSession call." | search MILLIS > 2000 | timechart span=1h count by MILLIS

I hope this will help you

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

@sbbadri - The last command will chart the count broken out by each particular value of MILLIS, which since they are the duration of the response time, are likely to all be unique values, just a few random dots on the timechart. However, that could be a useful strategy if you binned the MILLIS, for example in 5000 ms chunks, which might give you an idea just exactly how long the delays were in any given time period.

DalJeanis
SplunkTrust
SplunkTrust

Your initial search is doing unnecessary work. It could be this simple...

index=xyz 
| rex field=_raw "Response Time : (?<MILLIS>.\d+) for UpdateSession call." 
| search MILLIS > 20000 
| stats count as CountOver20K

Here's how to add the date...

index=xyz 
| rex field=_raw "Response Time : (?<MILLIS>.\d+) for UpdateSession call." 
| search MILLIS > 20000 
| bin _time span=1d  
| stats count as CountOver20K by _time

or the last two could be combined this way

index=xyz 
| rex field=_raw "Response Time : (?<MILLIS>.\d+) for UpdateSession call." 
| search MILLIS > 20000 
| timechart span=1d count as CountOver20K

By the way, be sure to mark your code as code so the interface doesn't strip out the html-like parts in angle brackets. <MILLIS>

0 Karma

jbrenner
Path Finder

This is fantastic! Thank you!

DalJeanis
SplunkTrust
SplunkTrust

The suggestion by sbbadri reminded me that you might like to actually know how long the responses took, so this groups them by 5000 ms increments...

index=xyz 
| rex field=_raw "Response Time : (?<MILLIS>.\d+) for UpdateSession call." 
| bin _time span=1d
| eval MsRange = 5000*if(MILLIS<20000,0,floor(MILLIS/5000))
| where MsRange > 0 
| timechart span=1d count as CountInRange by MsRange 

You could leave in the 0-19999 ms range and color them appropriately to see what's happening at all levels.

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

Response time is likely to be dependent on volume, so you might also want to look at it this way...

index=xyz 
| rex field=_raw "Response Time : (?<MILLIS>.\d+) for UpdateSession call." 
| bin _time span=1d
| eval Over20K=if(MILLIS>20000,1,0)
| timechart span=1d sum(Over20K) as CountOver20K count as CountTotal

...or this way ...

index=xyz 
| rex field=_raw "Response Time : (?<MILLIS>.\d+) for UpdateSession call." 
| bin _time span=5m
| eval Over20K=if(MILLIS>20000,1,0)
| stats sum(Over20K) as CountOver20K count as CountTotal by _time
| eval PctOver20K = round(100*CountOver20K/CountTotal,2)
| timechart avg(PctOver20K) as AvgPct max(PctOver20K) as MaxPct span=1d 
0 Karma
Get Updates on the Splunk Community!

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...