Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to search with a fixed time span timechart everyday?

zacksoft
Contributor
‎08-29-2018 07:05 AM

I am trying to find my average response time of everyday events (not avg of all the events of that day , but the events from 10AM to 1PM) only for last 7 days.

sourcetype="super:access" host=xa20hlf**  | eval headers=split(_raw," ") | eval resp_time=mvindex(headers,10) | eval resptime_time_seconds=resp_time*0.001| timechart span=1d eval(round(avg(resptime_time_seconds),2)) as avgTime
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

DalJeanis
Legend
‎08-29-2018 07:21 AM

Try this...

sourcetype="super:access" host=xa20hlf**  
| eval Hour=strftime(_time,"%H")
| where Hour>=10 AND Hour<13
| eval headers=split(_raw," ") 
| eval resp_time=mvindex(headers,10) 
| eval resptime_time_seconds=resp_time*0.001
| timechart span=1d eval(round(avg(resptime_time_seconds),2)) as avgTim

View solution in original post

Reply
Solved! Jump to solution

horsefez
Motivator
‎08-29-2018 07:25 AM

Hi @zacksoft,

how about this:

sourcetype="super:access" host=xa20hlf** earliest=-7d@d latest=now (date_hour=10 OR date_hour=11 OR date_hour=12 OR date_hour=13) | eval headers=split(_raw," ") | eval resp_time=mvindex(headers,10) | eval resptime_time_seconds=resp_time*0.001| timechart span=1d eval(round(avg(resptime_time_seconds),2)) as avgTime

0 Karma
Reply
Solved! Jump to solution

zacksoft
Contributor
‎08-29-2018 07:33 AM

I wanna change the latest = now to latest = (a fix time of day/week, that I choose like this wednesday 6pm) . Also can we exclude weekends?
When we give span=1d, what exactly is the duration of 1d in clockwise?

0 Karma
Reply
Solved! Jump to solution
Solution

DalJeanis
Legend
‎08-29-2018 07:21 AM

Try this...

sourcetype="super:access" host=xa20hlf**  
| eval Hour=strftime(_time,"%H")
| where Hour>=10 AND Hour<13
| eval headers=split(_raw," ") 
| eval resp_time=mvindex(headers,10) 
| eval resptime_time_seconds=resp_time*0.001
| timechart span=1d eval(round(avg(resptime_time_seconds),2)) as avgTim
Reply
Solved! Jump to solution

twinspop
Influencer
‎08-29-2018 07:46 AM

Dal: In my admittedly limited testing, I found it ~ 8% faster to filter on hour after the timechart. Trim the first eval and the first where, and after timechart add: | where tonumber(strftime(_time,"%H"))>=10 and tonumber(strftime(_time,"%H"))<13. My test was a simple count on _internal.

Reply
Solved! Jump to solution

DalJeanis
Legend
‎08-29-2018 07:06 PM

@twinspop - you can't filter on hour after the timechart aggregates to span=1d ... so it would not work unless you change the timechart to span=1h and then run it again through timechart to aggregate it up to the day level... and then you are averaging the averages rather than the actual events. If you have an idea that you think will work, please go ahead and write it up as an answer. The more, the merrier!

Reply
Solved! Jump to solution

twinspop
Influencer
‎08-29-2018 07:32 PM

Shoot man, you're totally right. My bad.

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...