Splunk Search

How to get the time duration for the search string availability in day ?

rakesh_498115
Motivator

Hi All,

I was in need of a requirement to find the error codes and its occurences windows for a given day to be printed in a table format. For Eg: i was looking for a error code "Z901" in my splunk logs for given day , i would like how many data occurences of these errors i.e. Z901 has seen in that day.

// sample output which i am looking is.

Day Error_Code Occurence's Duration
08-06-2019 Z901 3 00:02:00 - 01:04:05
07:00:00 - 07:24:45
23:45:00 - 23:55:00

I need the output in the above format - can anyone help me please in getting the above format. So from the above format i can clearly i am seeing Z901 errors on the Day i.e. "08-06-2019" for 3 occurences i.e. between the time windows 00:02:00-01:04:05,07:00:00-07:24:45 and 23:45:00-23:55:00.

I tried using earliest and latest times but getting the output as 00:02:00 - 23:55:00 for the whole day. Need help to print in the above format.

0 Karma

rakesh_498115
Motivator

Can anyone help on the above requirement please??

0 Karma

VatsalJagani
SplunkTrust
SplunkTrust

@rakesh_498115

I'm sorry I'm not giving exact solution what you need but this I think will help to gather the information that you need. Instead of a single query, we'll write a dashboard having two panels, see XML code for the part of the dashboard. And I think charts are visually more helpful than tables.
By this what we are trying to achieve is we'll have one panel to show data per day, so by this chart the user will have an idea about the occurrence of errors on any day. If the user clicks on the chart second panel will show data on that particular day so the user can visualize time windows 00:02:00-01:04:05,07:00:00-07:24:45 and 23:45:00-23:55:00 from that chart.

  • Create a dashboard
  • Add timerange picker
  • Add a panel with column chart with query <your base query> | timechart span=1d count. In timerange selection with query give above added timerange picker.
  • Add the second panel with column chart with query <your base query> | timechart count. In timerange give timerange token. For earliest give token earliest and for latest time give token latest.

your base query is having all data searching part including filtering mechanism for error code Z901.

Hope this helps!!!

0 Karma

rakesh_498115
Motivator

Hi Vastal ...thanks for the effforts..basically I was trying to prepare a query or dashboard to give a tabular view of data the format shown...I would like the occurrences of error code and their time windows for each day .:( using earliest and latest gives me only one window for that day.

0 Karma

VatsalJagani
SplunkTrust
SplunkTrust

It will give more window if you use timechart command with span.

0 Karma

rakesh_498115
Motivator

yeah...i have used something like this -

<< my search query >> | timechart span=1s count |eval Day=strftime(_time,"%d-%b-%y") | stats first(_time) as first_occurence last(_time) as last_occurence by Day,Error_Code| eval window = first_occurence + "-" + last_occurence | table Day,ErrorCode,Window

But still above one is giving me first and last occurence of error code in a day , which is similar to use earliest(_time) and latest(_time) ...

fingers crossed !!! no more thoughts to crack my requirement getting over my head 😞

0 Karma

VatsalJagani
SplunkTrust
SplunkTrust

Try to use timechart command instead stats as I've mentioned in the answer.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...