Splunk Search

Timechart graph with difference in values ​​over the last 60 minutes

leandromatperei
Path Finder

I have the result below in a table, but for some technical reasons I need to check these values ​​in a bar chart, but as the field is a string containing date and time I am not able to perform the conversion

 

index=teste "EnviaSMS" | table _time, enviaSMS, GravaDB, VerificaTotal 
| rename VerificaTotalSec As "Verifica - TotalEmSegundos" | sort -_time

 

 

Application Log:

 

2020-07-21T12:49:40.168 Dbg 09900 [000c02f527958102] [Tempos] - EnviaSMS:0h0m0s0ms - GravaDB:0h0m0s16ms - VerificaTotal:0h0m0s172ms

2020-07-21T12:49:40.136 Dbg 09900 [000c02f527957636] [Tempos] - EnviaSMS:0h0m0s0ms - GravaDB:0h0m0s0ms - VerificaTotal:0h0m0s155ms

2020-07-21T12:49:40.136 Dbg 09900 [000c02f527957636] [Tempos] - EnviaSMS:0h0m0s0ms - GravaDB:0h0m0s0ms - VerificaTotal:0h0m0s160ms

 

 

How could I calculate the last 60 minutes on a line graph displaying the information in the 03 columns?

Labels (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

This should help with the conversion.

| makeresults | eval data="2020-07-21T12:49:40.168 Dbg 09900 [000c02f527958102] [Tempos] - EnviaSMS:0h0m0s0ms - GravaDB:0h0m0s16ms - VerificaTotal:0h0m0s172ms|
2020-07-21T12:49:40.136 Dbg 09900 [000c02f527957636] [Tempos] - EnviaSMS:0h0m0s0ms - GravaDB:0h0m0s0ms - VerificaTotal:0h0m0s155ms|
2020-07-21T12:49:40.136 Dbg 09900 [000c02f527957636] [Tempos] - EnviaSMS:0h0m0s0ms - GravaDB:0h0m0s0ms - VerificaTotal:0h0m0s160ms" | eval data=split(data,"|") | mvexpand data | eval _raw=data
| eval _time=strptime(_raw, "%Y-%m-%dT%H:%M:%S.%3N")
| rex "EnviaSMS:(?<enviaSMS>\w+)"
| rex "GravaDB:(?<GravaDB>\w+)"
| rex "VerificaTotal:(?<VerificaTotal>\w+)"
```Above just defines test data```
| rex field=enviaSMS "(?<hr>\d+)h(?<min>\d+)m(?<sec>\d+)s(?<ms>\d+)"
| eval enviaSMS=exact(hr*3600+min*60+sec+(ms/1000))
| rex field=GravaDB "(?<hr>\d+)h(?<min>\d+)m(?<sec>\d+)s(?<ms>\d+)"
| eval GravaDB=exact(hr*3600+min*60+sec+(ms/1000))
| rex field=VerificaTotal "(?<hr>\d+)h(?<min>\d+)m(?<sec>\d+)s(?<ms>\d+)"
| eval VerificaTotal=exact(hr*3600+min*60+sec+(ms/1000))
| table _time, enviaSMS, GravaDB, VerificaTotal
| rename VerificaTotal As "Verifica - TotalEmSegundos" | sort -_time
---
If this reply helps you, an upvote would be appreciated.

View solution in original post

0 Karma

richgalloway
SplunkTrust
SplunkTrust

This should help with the conversion.

| makeresults | eval data="2020-07-21T12:49:40.168 Dbg 09900 [000c02f527958102] [Tempos] - EnviaSMS:0h0m0s0ms - GravaDB:0h0m0s16ms - VerificaTotal:0h0m0s172ms|
2020-07-21T12:49:40.136 Dbg 09900 [000c02f527957636] [Tempos] - EnviaSMS:0h0m0s0ms - GravaDB:0h0m0s0ms - VerificaTotal:0h0m0s155ms|
2020-07-21T12:49:40.136 Dbg 09900 [000c02f527957636] [Tempos] - EnviaSMS:0h0m0s0ms - GravaDB:0h0m0s0ms - VerificaTotal:0h0m0s160ms" | eval data=split(data,"|") | mvexpand data | eval _raw=data
| eval _time=strptime(_raw, "%Y-%m-%dT%H:%M:%S.%3N")
| rex "EnviaSMS:(?<enviaSMS>\w+)"
| rex "GravaDB:(?<GravaDB>\w+)"
| rex "VerificaTotal:(?<VerificaTotal>\w+)"
```Above just defines test data```
| rex field=enviaSMS "(?<hr>\d+)h(?<min>\d+)m(?<sec>\d+)s(?<ms>\d+)"
| eval enviaSMS=exact(hr*3600+min*60+sec+(ms/1000))
| rex field=GravaDB "(?<hr>\d+)h(?<min>\d+)m(?<sec>\d+)s(?<ms>\d+)"
| eval GravaDB=exact(hr*3600+min*60+sec+(ms/1000))
| rex field=VerificaTotal "(?<hr>\d+)h(?<min>\d+)m(?<sec>\d+)s(?<ms>\d+)"
| eval VerificaTotal=exact(hr*3600+min*60+sec+(ms/1000))
| table _time, enviaSMS, GravaDB, VerificaTotal
| rename VerificaTotal As "Verifica - TotalEmSegundos" | sort -_time
---
If this reply helps you, an upvote would be appreciated.

View solution in original post

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!