Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Response Time with hour intervals

denisevw
Path Finder
‎05-22-2014 09:11 AM

I posted a question earlier this month regarding Response Time with an additional calculation.

What I need now, is help with doing the same search, but with a timechart, hourly interval.
Example
Time Average Response Time
date 13:00 0.528
date 14:00 0.896
etc.

My current search is
index=myindex* host="server" Message_Type="99*" OR Message_Type="91*" OR Message_Type="92*" OR Message_Type="94*" source=EasyPayVAGAS | dedup Message_Type, UUID | stats first(_time) as begin last(_time) as end by UUID | eval responsetime=begin-end | eval Response_Time=if(responsetime>45,"45.000",responsetime) | stats avg(Response_Time) as Response_Time | eval RT_Avg=round(Response_Time,3) | table RT_Avg

Any assistance will be appreaciated, thanks!

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎05-22-2014 09:36 AM

Try this

index=myindex host="server" Message_Type="99" OR Message_Type="91" OR Message_Type="92" OR Message_Type="94" source=EasyPayVAGAS* | dedup Message_Type, UUID | eval Time=_time | bucket span=1h _time | stats first(Time) as begin last(Time) as end by UUID,_time| eval responsetime=begin-end | eval Response_Time=if(responsetime>45,"45.000",responsetime) | timechart span=1h avg(Response_Time) as RT_Avg | eval RT_Avg=round(RT_Avg,3)

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎05-22-2014 09:36 AM

Try this

index=myindex host="server" Message_Type="99" OR Message_Type="91" OR Message_Type="92" OR Message_Type="94" source=EasyPayVAGAS* | dedup Message_Type, UUID | eval Time=_time | bucket span=1h _time | stats first(Time) as begin last(Time) as end by UUID,_time| eval responsetime=begin-end | eval Response_Time=if(responsetime>45,"45.000",responsetime) | timechart span=1h avg(Response_Time) as RT_Avg | eval RT_Avg=round(RT_Avg,3)
Reply
Solved! Jump to solution

denisevw
Path Finder
‎05-22-2014 12:39 PM

Manage to get the search working with the results I need.
..my searches.. | eval Time=_time | bucket span=1h _time | stats first(Time) as begin last(Time) as end by UUID,_time | eval responsetime=begin-end | eval Response_Time=if(responsetime>45,"45.000",responsetime) | timechart span=1h avg(Response_Time) as RT_Avg

Thanks for your assistance "somesoni2"

0 Karma
Reply
Solved! Jump to solution

denisevw
Path Finder
‎05-22-2014 11:51 AM

Yes, it returns UUID, _time, begin, end
Now for the calculation
Added "| eval responsetime=begin-end | eval Response_Time=if(responsetime>45,"45.000",responsetime)" and it displays the results correct.
All I need now is to add each UUID which displays the same hour (13:00 or 17:00) together.
Any suggestions on a calculation/search for adding result with the same time?

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎05-22-2014 11:19 AM

Does this returns anything?

index=myindex host="server" Message_Type="99" OR Message_Type="91" OR Message_Type="92" OR Message_Type="94" source=EasyPayVAGAS* | dedup Message_Type, UUID | eval Time=_time | bucket span=1h _time | stats first(Time) as begin last(Time) as end by UUID,_time

Reply
Solved! Jump to solution

denisevw
Path Finder
‎05-22-2014 11:08 AM

Thanks for the quick response.
The search did not return any result.

0 Karma
Reply
Get Updates on the Splunk Community!

Data Preparation Made Easy: SPL2 for Edge Processor

By now, you may have heard the exciting news that Edge Processor, the easy-to-use Splunk data preparation tool ...

Introducing Edge Processor: Next Gen Data Transformation

We get it - not only can it take a lot of time, money and resources to get data into Splunk, but it also takes ...

Tips & Tricks When Using Ingest Actions

Tune in to learn about:Large scale architecture when using Ingest ActionsRegEx performance considerations ...