Splunk Search
Highlighted

How to make a time chart with a list of time values I extracted with rex?

Explorer

I have timestamps in my logs like this:

[23/Oct/2016:23:56:00 --0700]

I extracted them from my log files with this search:

source=* * | rex field=_raw "(?ism)\[(?<time>\d+\/\w+\/.+)\]"

Now I want to make a timechart that shows the time on the x-axis and the number of occurrences in that time on the y-axis. I tried doing:

| timechart span=1h count by time

But that didn't give me what I wanted. In plain English, I want it to read like "you got a 100 requests from 9am-10am, 50 requests from 10am-11am, etc etc".

Bonus: I would like to offer more granularity based on what the user wants. Like they should be able to see that they got a 100 requests from 9am-10am, but then see specifically at what times between that hour the 100 requests came in.

0 Karma
Highlighted

Re: How to make a time chart with a list of time values I extracted with rex?

Splunk Employee
Splunk Employee

Try converting your extracted timefield to epoch using strptime (appropriate for your time value, below is just an example) and cast that to _time directly to do your timechart

|eval test=strptime(time,"%d/%b/%Y:%H:%M")|eval _time=test|timechart span=1h count 

View solution in original post

0 Karma
Highlighted

Re: How to make a time chart with a list of time values I extracted with rex?

Explorer

What does _time=test mean?

0 Karma
Highlighted

Re: How to make a time chart with a list of time values I extracted with rex?

Splunk Employee
Splunk Employee

This means set _time to the value of test which is an epoch value we created from the strptime statement.

Test is just an arbitrary field name I gave it. _time is Splunk internal timefield that is used when doing timechart.

0 Karma