Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to get sum and charts of usage time values for corresponding fields?

fziegler
New Member
‎06-18-2014 12:58 PM

I'm using splunk 6.0.3

When I search for: "has been closed after being in use"
I have a series of hits like shown in the 4 sample lines below:

2014-06-17 18:26:47.219765 (UTC) Camera SITENAME-1.camera.CAMERANAME-1 has been closed after being in use for 175 seconds in automatic mode

2014-06-18 14:48:30.241732 (UTC) Camera SITENAME-2.camera.CAMERANAME-2 has been closed after being in use for 281 seconds in manual mode

2014-06-18 15:52:53.974993 (UTC) Camera SITENAME-3.camera.CAMERANAME-3 has been closed after being in use for 5494 seconds in Unknown mode

2014-06-18 15:53:10.312491 (UTC) Camera SITENAME-4.camera.CAMERANAME-4 has been closed after being in use for 5511 seconds in watching mode

How can a do a search, to report the total usage time, for each camera, at each site, in each mode?

and.. print pretty charts and plots?
thanks!

Fred.Ziegler@alum.mit.edu

Tags (2)
0 Karma
Reply

jeremiahc4
Builder
‎06-18-2014 01:03 PM

You could either use the field extractor UI to try and solve it, or you could use rex on the search line to handle the same.

Something like (untested, but probably close);

your base search | rex "Camera (?P<CameraSite>.+) has been closed after being in use for (?P<UsageTime>\d*) seconds" | chart sum(UsageTime) by CameraSite
0 Karma
Reply

jeremiahc4
Builder
‎06-18-2014 01:06 PM

You probably need to modify the regex ".+" in the CameraSite field to capture the full name... I usually have to play around with it, but could either be something like

(?P[\w\d\-\.]*) or (?P.*[^ ])

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...