Splunk Search

How to get the time duration for the search string availability in day ?

rakesh_498115
Motivator

Hi All,

I was in need of a requirement to find the error codes and its occurences windows for a given day to be printed in a table format. For Eg: i was looking for a error code "Z901" in my splunk logs for given day , i would like how many data occurences of these errors i.e. Z901 has seen in that day.

// sample output which i am looking is.

Day Error_Code Occurence's Duration
08-06-2019 Z901 3 00:02:00 - 01:04:05
07:00:00 - 07:24:45
23:45:00 - 23:55:00

I need the output in the above format - can anyone help me please in getting the above format. So from the above format i can clearly i am seeing Z901 errors on the Day i.e. "08-06-2019" for 3 occurences i.e. between the time windows 00:02:00-01:04:05,07:00:00-07:24:45 and 23:45:00-23:55:00.

I tried using earliest and latest times but getting the output as 00:02:00 - 23:55:00 for the whole day. Need help to print in the above format.

0 Karma

rakesh_498115
Motivator

Can anyone help on the above requirement please??

0 Karma

VatsalJagani
Motivator

@rakesh_498115

I'm sorry I'm not giving exact solution what you need but this I think will help to gather the information that you need. Instead of a single query, we'll write a dashboard having two panels, see XML code for the part of the dashboard. And I think charts are visually more helpful than tables.
By this what we are trying to achieve is we'll have one panel to show data per day, so by this chart the user will have an idea about the occurrence of errors on any day. If the user clicks on the chart second panel will show data on that particular day so the user can visualize time windows 00:02:00-01:04:05,07:00:00-07:24:45 and 23:45:00-23:55:00 from that chart.

  • Create a dashboard
  • Add timerange picker
  • Add a panel with column chart with query <your base query> | timechart span=1d count. In timerange selection with query give above added timerange picker.
  • Add the second panel with column chart with query <your base query> | timechart count. In timerange give timerange token. For earliest give token earliest and for latest time give token latest.

your base query is having all data searching part including filtering mechanism for error code Z901.

Hope this helps!!!

0 Karma

rakesh_498115
Motivator

Hi Vastal ...thanks for the effforts..basically I was trying to prepare a query or dashboard to give a tabular view of data the format shown...I would like the occurrences of error code and their time windows for each day .:( using earliest and latest gives me only one window for that day.

0 Karma

VatsalJagani
Motivator

It will give more window if you use timechart command with span.

0 Karma

rakesh_498115
Motivator

yeah...i have used something like this -

<< my search query >> | timechart span=1s count |eval Day=strftime(_time,"%d-%b-%y") | stats first(_time) as first_occurence last(_time) as last_occurence by Day,Error_Code| eval window = first_occurence + "-" + last_occurence | table Day,ErrorCode,Window

But still above one is giving me first and last occurence of error code in a day , which is similar to use earliest(_time) and latest(_time) ...

fingers crossed !!! no more thoughts to crack my requirement getting over my head 😞

0 Karma

VatsalJagani
Motivator

Try to use timechart command instead stats as I've mentioned in the answer.

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!