Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

TimeChart implemention over two grouping

jayaraj1717
New Member
‎05-14-2018 01:08 AM

i have log file as below need to calculate Execution time for each events and dispay data by grouping with Errorcode and hostnames.

LogTime=2018-05-14T00:47:00.424-0700|Host=hostname1|ErroCode=00|ExcutionTime=2018-05-14 00:47:00.219|Instname=hosnatname1:process1:<date>:<Uniquenumber>
LogTime=2018-05-14T00:47:00.424-0700|Host=hostname1|ErroCode=01|ExcutionTime=2018-05-14 00:47:00.219|Instname=hosnatname1:process2:<date>:<Uniquenumber>
LogTime=2018-05-14T00:47:00.424-0700|Host=hostname2|ErroCode=00|ExcutionTime=2018-05-14 00:47:00.219|Instname=hosnatname2:process1:<date>:<Uniquenumber>
LogTime=2018-05-14T00:47:00.424-0700|Host=hostname3|ErroCode=00|ExcutionTime=2018-05-14 00:47:00.219|Instname=hosnatname3:process1:<date>:<Uniquenumber>
LogTime=2018-05-14T00:47:00.424-0700|Host=hostname2|ErroCode=01|ExcutionTime=2018-05-14 00:47:00.219|Instname=hosnatname2:process2:<date>:<Uniquenumber>
LogTime=2018-05-14T00:47:00.424-0700|Host=hostname2|ErroCode=03|ExcutionTime=2018-05-14 00:47:00.219|Instname=hosnatname2:process1:<date>:<Uniquenumber>
LogTime=2018-05-14T00:47:00.424-0700|Host=hostname1|ErroCode=00|ExcutionTime=2018-05-14 00:47:00.219|Instname=hosnatname1:process1:<date>:<Uniquenumber>
LogTime=2018-05-14T00:47:00.424-0700|Host=hostname4|ErroCode=01|ExcutionTime=2018-05-14 00:47:00.219|Instname=hosnatname4:process2:<date>:<Uniquenumber>
LogTime=2018-05-14T00:47:00.424-0700|Host=hostname4|ErroCode=00|ExcutionTime=2018-05-14 00:47:00.219|Instname=hosnatname4:process1:<date>:<Uniquenumber>

i need data like every 15 minutes what is the avg Execution for each ErrorCode on each hosts

-_time ExecutionTime ErrorCode Host
2018-05-14 00:00:00 avg(<< subrataion of LogTime - ScripExcutionTime>>) 00 Hostname1
2018-05-14 00:15:00 avg(<< subrataion of LogTime - ScripExcutionTime>>) 01 Hostname1
2018-05-14 00:30:00 avg(<< subrataion of LogTime - ScripExcutionTime>>) 00 Hostname2
2018-05-14 00:45:00 avg(<< subrataion of LogTime - ScripExcutionTime>>) 01 Hostname2
2018-05-14 01:00:00 avg(<< subrataion of LogTime - ScripExcutionTime>>) 03 Hostname2
2018-05-14 01:15:00 avg(<< subrataion of LogTime - ScripExcutionTime>>) 00 Hostname3
2018-05-14 01:30:00 avg(<< subrataion of LogTime - ScripExcutionTime>>) 01 Hostname4
2018-05-14 01:45:00 avg(<< subrataion of LogTime - ScripExcutionTime>>) 02 Hostname4
0 Karma
Reply

FrankVl
Ultra Champion
‎05-14-2018 02:23 AM

You can't have more than 1 field in the BY clause of a timechart command unfortunately. What you can do, is concatenate the 2 fields into 1 before applying the timechart command. So for example:

| eval hostErrorCode = host."_".ErrorCode | timechart avg(ExecutionTime) by hostErrorCode

Calculating the Executiontime can be done by first converting the ScripExcutionTime to a timestamp value and then subtracting it from _time (assuming log time is already captured in _time, otherwise do a similar conversion for log time as well).

| eval ScripExcutionTime = strptime(ScripExcutionTime,"%Y-%m-%d %H:%M:%S.%3Q")
0 Karma
Reply

jayaraj1717
New Member
‎05-14-2018 04:41 AM

i have 12 host and 10 plus ErrorCode. only few host are returning and remaining are moving to OTHER. same happening for ErrCode. only few's are coming.
_time OTHER XXXXXXXXXX3_00 XXXXXXXXX4_00 XXXXXXXXX3_10 XXXXXXXXX6_00 XXXXXXXXX7_00 XXXXXXXXX9_00 XXXXXXXXX0_00 XXXXXXXXX8_00 XXXXXXXXX8_10 XXXXXXXXX0_00
2018-05-06 00:00:00 0.169741 0.204697 0.204866 0.204312 0.204415 0.201709 0.171336 0.173867 0.170226 0.169900 0.168801
2018-05-06 00:15:00 0.170710 0.209113 0.205724 0.205761 0.205966 0.205338 0.174896 0.175960 0.172567 0.172088 0.172196
2018-05-06 00:30:00 0.169880 0.211389 0.207215 0.206823 0.203674 0.203884 0.183361 0.179539 0.169477 0.173195 0.171637

0 Karma
Reply

FrankVl
Ultra Champion
‎05-14-2018 04:55 AM

Add a limit=0 to your timechart command, to keep all values instead of having them aggregated into OTHER.

Alternatively you could look at the xyseries, which I think should allow you to have multiple fields in the by clause, but doesn't give you the nice continuous timerange that timechart does.

Or take the effort to create a dashboard with 12 manually constructed panels, one for each host, such that each graph itself only shows the executiontime by errorcode. For 12 hosts that is still fairly feasible.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Introducing Splunk 10.0: Smarter, Faster, and More Powerful Than Ever

Now On Demand Whether you're managing complex deployments or looking to future-proof your data ...

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...