Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk DB Connect 1: How to use "timechart avg()" in a dbquery search?

mark_chuman
Path Finder
‎01-26-2016 02:04 PM

This search works fine:

"DBOMA" "SELECT "Time" , "Virtual_Machine" , "ready" FROM DBSTDBO.CPUBYVM where "Virtual_Machine" BETWEEN 'vmname001' AND 'vmname025'" | eval Time=strftime(Time,"%m/%d/%y %H:%M:%S") | search Time>"01/26/16 09:25:00" | search Time<"01/26/16 09:55:00"

But this search below fails with no results found. I've used timechart avg successfully before, so not sure if it's snagging on something because it's a dbquery.

"DBOMA" "SELECT "Time" , "Virtual_Machine" , "ready" FROM DBSTDBO.CPUBYVM where "Virtual_Machine" BETWEEN 'vmname001' AND 'vmname025'" | eval Time=strftime(Time,"%m/%d/%y %H:%M:%S") | search Time>"01/26/16 09:25:00" | search Time<"01/26/16 09:55:00" | timechart avg("ready") by Virtual_Machine
0 Karma
Reply

somesoni2
Revered Legend
‎01-26-2016 02:32 PM

The reason timechart is failing as it expects a fields with name "_time" in epoch format timestmap and which is not present in your output of dbquery. Try something like this (also change the comparison of date in epoch format)

"DBOMA" "SELECT "Time" , "Virtual_Machine" , "ready" FROM DBSTDBO.CPUBYVM where "Virtual_Machine" BETWEEN 'vmname001' AND 'vmname025'"  | search Time>strptime("01/26/16 09:25:00","%m/%d/%y %H:%M:%S") AND Time<strptime("01/26/16 09:55:00","%m/%d/%y %H:%M:%S") | rename Time as _time | timechart avg("ready") by Virtual_Machine
0 Karma
Reply

mark_chuman
Path Finder
‎01-27-2016 05:12 AM

So, this query completes successfully

| dbquery "TQOMA" "SELECT "Time" , "Virtual_Machine" , "ready" FROM TQSTDBO.CPUBYVM where "Virtual_Machine" BETWEEN 'vW7NTXMCSOMA001' AND 'vW7NTXMCSOMA025'"

This query completes with no results found

| dbquery "TQOMA" "SELECT "Time" , "Virtual_Machine" , "ready" FROM TQSTDBO.CPUBYVM where "Virtual_Machine" BETWEEN 'vW7NTXMCSOMA001' AND 'vW7NTXMCSOMA025'" | search Time>strptime("01/26/16 09:25:00","%m/%d/%y %H:%M:%S") AND Time<strptime("01/26/16 09:55:00","%m/%d/%y %H:%M:%S")
0 Karma
Reply

gyslainlatsa
Motivator
‎01-26-2016 02:15 PM

hi mark.chuman,

if ready is one field, try replace | timechart avg("ready") by Virtual_Machine by | timechart avg(ready) by Virtual_Machine

0 Karma
Reply

mark_chuman
Path Finder
‎01-27-2016 05:09 AM

thanks. tried this before and it comes up with same result as original query

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk App for Anomaly Detection End of Life Announcement

Q: What is happening to the Splunk App for Anomaly Detection?A: Splunk is officially announcing the ...

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...