Splunk Search

How to show text values in a timechart?

Explorer

I have the following information extracted from the log file:

03.03.2016 04:46:23 : Execution time in minutes: 4,37056666666667
03.03.2016 04:16:17 : Execution time in minutes: 4,2685
03.03.2016 03:46:15 : Execution time in minutes: 4,25025

If I extract new fields (using space), I will get 8 fields, Meaning I am able to filter the time (like 4,37056) for field 8
table _time and field8 --> and I'll get the date/time like 03.03.2016 04:46:23 and the Execution time like 4.37056

Now, when I want to show the date/time and Execution times in, for example, a line graph, it's empty -- I have the date/time (X-axis) and Execution time (Y-axis)

Unfortunately the graph is empty ..

0 Karma
1 Solution

Legend

Okay, try this

source=log_file
| rex "Execution time in minutes: (?<exec_time>\S+)"
| eval Execution_time = tonumber(replace(exec_time, ",", "." ))
| timechart avg(Execution_time) as Avg_Execution_Time

or substitute the following for the timechart command:

| sort _time
| table _time Execution_time

The problem with the earlier answer is that Splunk interpreted the comma in the execution time as a thousands separator. And there was a typo, which I have corrected.

View solution in original post

Legend

Okay, try this

source=log_file
| rex "Execution time in minutes: (?<exec_time>\S+)"
| eval Execution_time = tonumber(replace(exec_time, ",", "." ))
| timechart avg(Execution_time) as Avg_Execution_Time

or substitute the following for the timechart command:

| sort _time
| table _time Execution_time

The problem with the earlier answer is that Splunk interpreted the comma in the execution time as a thousands separator. And there was a typo, which I have corrected.

View solution in original post

Explorer

The following worked and reflected the correct values in the 'graph':

| rex "Execution time in minutes: (?\S+)" 
| eval Execution_time = tonumber(replace(exec_time, ",", "." ))
| sort _time
| table _time Execution_time

Also the following did the job

| rex field=Execution_Time mode=sed "s/,/./g" 
| table _time Execution_Time
0 Karma

Explorer

Thanks for your help Iguinn!

0 Karma

Legend

Assuming that you have a field named execution_time, try this

yoursearchhere
| convert num(execution_time) as exec_time 
| sort _time
| table _time exec_time

Although this would probably make a better time chart:

yoursearchhere
| convert num(execution_time) as exec_time 
| timechart avg(exec_time) as Avg_Execution_Time
0 Karma

Legend

It would help if you showed the actual Splunk commands.

0 Karma

Explorer

My comments are not saved for unknown reason

0 Karma

Explorer

Original search:
index = xxxxx sourcetype = xxxxx host = xxxxx source = "Log-File" field4 = Execution field5 = time field6 = in field7 = "minutes:" Execution_Time = "*"

04.03.2016 10:19:47 : Execution time in minutes: 6,77968333333333
04.03.2016 09:19:36 : Execution time in minutes: 6,60625
04.03.2016 08:48:48 : Execution time in minutes: 5,80391666666667
04.03.2016 08:18:33 : Execution time in minutes: 5,5466


Adding | table time ExecutionTime -- this is how it should look in graph -- date/time on the X-as and Execution Time in minutes on the Y-as

2016-03-04 10:19:47 6,77968333333333
2016-03-04 09:19:36 6,60625
2016-03-04 08:48:48 5,80391666666667
2016-03-04 08:18:33 5,5466

Visualization: X-as and Y-as look OK, but the graph is empty


When adding | convert num(ExecutionTime) as exectime | table time exectime

2016-03-04 10:19:47 677968333333333
2016-03-04 09:19:36 660625
2016-03-04 08:48:48 580391666666667
2016-03-04 08:18:33 55466
2016-03-04 07:48:30 54875

When I | timechart avg(exectime) as AvgExecution_Time I (now) get values in the graph -- unfortunately these are incorrect (=unusable).


I am new to Splunk, so all help is appreciated here

Target is to get these execution times in minutes in graph with some alerts configured e.g. if 'execution time' > 10 (minutes)

0 Karma