- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to show text values in a timechart?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have the following information extracted from the log file:
03.03.2016 04:46:23 : Execution time in minutes: 4,37056666666667
03.03.2016 04:16:17 : Execution time in minutes: 4,2685
03.03.2016 03:46:15 : Execution time in minutes: 4,25025
If I extract new fields (using space), I will get 8 fields, Meaning I am able to filter the time (like 4,37056) for field 8
table _time and field8 --> and I'll get the date/time like 03.03.2016 04:46:23 and the Execution time like 4.37056
Now, when I want to show the date/time and Execution times in, for example, a line graph, it's empty -- I have the date/time (X-axis) and Execution time (Y-axis)
Unfortunately the graph is empty ..
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Okay, try this
source=log_file
| rex "Execution time in minutes: (?<exec_time>\S+)"
| eval Execution_time = tonumber(replace(exec_time, ",", "." ))
| timechart avg(Execution_time) as Avg_Execution_Time
or substitute the following for the timechart command:
| sort _time
| table _time Execution_time
The problem with the earlier answer is that Splunk interpreted the comma in the execution time as a thousands separator. And there was a typo, which I have corrected.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Okay, try this
source=log_file
| rex "Execution time in minutes: (?<exec_time>\S+)"
| eval Execution_time = tonumber(replace(exec_time, ",", "." ))
| timechart avg(Execution_time) as Avg_Execution_Time
or substitute the following for the timechart command:
| sort _time
| table _time Execution_time
The problem with the earlier answer is that Splunk interpreted the comma in the execution time as a thousands separator. And there was a typo, which I have corrected.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The following worked and reflected the correct values in the 'graph':
| rex "Execution time in minutes: (?\S+)"
| eval Execution_time = tonumber(replace(exec_time, ",", "." ))
| sort _time
| table _time Execution_time
Also the following did the job
| rex field=Execution_Time mode=sed "s/,/./g"
| table _time Execution_Time
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for your help Iguinn!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Assuming that you have a field named execution_time, try this
yoursearchhere
| convert num(execution_time) as exec_time
| sort _time
| table _time exec_time
Although this would probably make a better time chart:
yoursearchhere
| convert num(execution_time) as exec_time
| timechart avg(exec_time) as Avg_Execution_Time
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It would help if you showed the actual Splunk commands.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
My comments are not saved for unknown reason
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Original search:
index = xxxxx sourcetype = xxxxx host = xxxxx source = "Log-File" field4 = Execution field5 = time field6 = in field7 = "minutes:" Execution_Time = "*"
04.03.2016 10:19:47 : Execution time in minutes: 6,77968333333333
04.03.2016 09:19:36 : Execution time in minutes: 6,60625
04.03.2016 08:48:48 : Execution time in minutes: 5,80391666666667
04.03.2016 08:18:33 : Execution time in minutes: 5,5466
Adding | table _time Execution_Time -- this is how it should look in graph -- date/time on the X-as and Execution Time in minutes on the Y-as
2016-03-04 10:19:47 6,77968333333333
2016-03-04 09:19:36 6,60625
2016-03-04 08:48:48 5,80391666666667
2016-03-04 08:18:33 5,5466
Visualization: X-as and Y-as look OK, but the graph is empty
When adding | convert num(Execution_Time) as exec_time | table _time exec_time
2016-03-04 10:19:47 677968333333333
2016-03-04 09:19:36 660625
2016-03-04 08:48:48 580391666666667
2016-03-04 08:18:33 55466
2016-03-04 07:48:30 54875
When I | timechart avg(exec_time) as Avg_Execution_Time I (now) get values in the graph -- unfortunately these are incorrect (=unusable).
I am new to Splunk, so all help is appreciated here
Target is to get these execution times in minutes in graph with some alerts configured e.g. if 'execution time' > 10 (minutes)
Data-Driven Success: Splunk & Financial Services
Video | Welcome Back to Smartness, Pedro
Detector Best Practices: Static Thresholds
