Hi,
I have following log data that are in splunk. Below is example data taken from splunk:
2024-02-04T00:15:15.209Z [jfrt ] [INFO ] [64920151065ecdd9] [.s.b.i.GarbageCollectorInfo:81] [cdd9|art-exec-153205] - Storage TRASH_AND_BINARIES garbage collector report:
Total execution time: 15.25 minutes
Candidates for deletion: 4,960
Checksums deleted: 4,582
Binaries deleted: 4,582
host = hostname.com index = XXXXXX1 source = artifactory-servicesourcetype = artifactory-service
How I can display trend/timechart of "Total execution time" using splunk query group by timestamp and host name for Storage TRASH_AND_BINARIES garbage collector report?
I appreciate any help.
Thanks
Rahul
Hi, In the above query in my dashboard is displaying large numbers. I want to convert those to shorter number with million added to it. For example if the value shows 600,0000 then the result should display 6mil. How I can achieve? I tried using-->
| eval status=case(like(status, "2%"),"200|201",like(status, "5%"),"503")|timechart span=1d@d usenull=false useother=f count(status) by status|fieldformat count = count/1000000 But this does not work.
Any help is appreciated.
Hi @Rahul-Sri ,
this is another question and it's always better to open a new case, even if this is the followig step to your request, in this way you'll have surely faster and probably better answers.
Anyway, the approach is to use eval not format command and round the number:
| eval count=round(count/1000000,2)."M"
please, accept one answer for the other people of Community.
Ciao and happy splunking
Giuseppe
P.S.: Karma Points are appreciated 😉
Hi,
Thanks for quick response. I have tried both the options below:
Option-1
| eval status=case(like(status, "2%"),"200|201",like(status, "5%"),"503")|timechart span=1d@d usenull=false useother=f count(status) by status|eval status=round(status/1000000,2)."M"
Option-2
| eval status = if(match(status, "20/[0-1]/"), "success(200 and 201)",status)| eval status=case(like(status, "2%"),"200|201",like(status, "5%"),"503")|timechart span=1d@d usenull=false useother=f count(status) by status|eval count=round(count/1000000,2)."M"
But in my graph I dont see any difference. I still see large number instead of shorten number with M appended.
Below is the output
Hi @Rahul-Sri ,
my solution is only for a table because you transform a number in a string.
if you have to display the result in a graph, you can divide by 1000000 and indicate in the subtitle that the numbers are millions or use a logarythmic scale in the graph.
Ciao.
Giuseppe
Hi @RS ,
I suppose that the total execution time is always displayed in minutes, otherwise, you have convert it based on the forma, so, please try, something like this:
index = XXXXXX1 host = hostname.com source = artifactory-servicesourcetype = artifactory-service "Storage TRASH_AND_BINARIES garbage collector report"
| rex "Total\s+execution\s+time:\s+(?<minutes>\d+)\.(?<seconds>\d+)"
| eval Total_execution_time=minutes*60+seconds
| timechart sum(Total_execution_time) AS Total_execution_time BY host
Ciao.
Giuseppe
Thanks @gcusello. The given query helped me produce the required timechart.
Hi @RS,
good for you, see next time!
let me know if I can help you more, or, please, accept one answer for the other people of Community.
Ciao and happy splunking
Giuseppe
P.S.: Karma Points are appreciated 😉