Splunk Search

Turns stats into timechart with avg

Silah
Path Finder

I asked in a previous thread for help to get response time based on time differential between two events connected by a UUID (Solved: Re: Measuring time difference between 2 entries - Splunk Community) which is working perfectly.

I turned that into an average response time grouped by a particular transaction type (processName) and thats working fine as well, but I would very much like to use this as a timechart - but I can't seem to get it working.

From what I understand, the fact that I am using Stats stripts out the _time which the timechart uses, but I am not sure how to work around that.

My query goes as follows:

[My search here]
| stats
earliest(eval(if(eventType="BEGIN",_time,""))) AS Begin_time
latest(eval(if(eventType="END",_time,""))) AS End_time
BY UUID processName
| eval ResponseTime=End_time-Begin_time
| stats avg(ResponseTime) by processName

I've tried a number of things that didn't work, including changing stats to:

| timechart span=10m Avg(ResponseTime) by processName

While this did perform a search, it generated no result whatsoever. Won't bore everyone with my multiple failures.

My query gives me basically

ProcessName Avg(Response_time)
Process1 0.5
Process2 0.6
Process3 0.7

 

My goal is to get this as a time chart visualization with a span of 10 mins.

Any suggestions ?

Thanks

Labels (1)
0 Karma
1 Solution

glc_slash_it
Path Finder

That is because timechart command requires to have the _time field, and you are removing it with the first stats command.

Try this:

[My search here]
| stats
earliest(eval(if(eventType="BEGIN",_time,""))) AS Begin_time
latest(eval(if(eventType="END",_time,""))) AS End_time
BY UUID processName
| eval ResponseTime=End_time-Begin_time
| eval _time = Begin_time
| timechart span=10m avg(ResponseTime) by processName

View solution in original post

Silah
Path Finder

Beautiful. Thank you, this worked and now I understand how to pass the time in when it gets stripped out earlier.

0 Karma

glc_slash_it
Path Finder

That is because timechart command requires to have the _time field, and you are removing it with the first stats command.

Try this:

[My search here]
| stats
earliest(eval(if(eventType="BEGIN",_time,""))) AS Begin_time
latest(eval(if(eventType="END",_time,""))) AS End_time
BY UUID processName
| eval ResponseTime=End_time-Begin_time
| eval _time = Begin_time
| timechart span=10m avg(ResponseTime) by processName
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...