Splunk Search

Turns stats into timechart with avg

Silah
Path Finder

I asked in a previous thread for help to get response time based on time differential between two events connected by a UUID (Solved: Re: Measuring time difference between 2 entries - Splunk Community) which is working perfectly.

I turned that into an average response time grouped by a particular transaction type (processName) and thats working fine as well, but I would very much like to use this as a timechart - but I can't seem to get it working.

From what I understand, the fact that I am using Stats stripts out the _time which the timechart uses, but I am not sure how to work around that.

My query goes as follows:

[My search here]
| stats
earliest(eval(if(eventType="BEGIN",_time,""))) AS Begin_time
latest(eval(if(eventType="END",_time,""))) AS End_time
BY UUID processName
| eval ResponseTime=End_time-Begin_time
| stats avg(ResponseTime) by processName

I've tried a number of things that didn't work, including changing stats to:

| timechart span=10m Avg(ResponseTime) by processName

While this did perform a search, it generated no result whatsoever. Won't bore everyone with my multiple failures.

My query gives me basically

ProcessName Avg(Response_time)
Process1 0.5
Process2 0.6
Process3 0.7

 

My goal is to get this as a time chart visualization with a span of 10 mins.

Any suggestions ?

Thanks

Labels (1)
0 Karma
1 Solution

glc_slash_it
Path Finder

That is because timechart command requires to have the _time field, and you are removing it with the first stats command.

Try this:

[My search here]
| stats
earliest(eval(if(eventType="BEGIN",_time,""))) AS Begin_time
latest(eval(if(eventType="END",_time,""))) AS End_time
BY UUID processName
| eval ResponseTime=End_time-Begin_time
| eval _time = Begin_time
| timechart span=10m avg(ResponseTime) by processName

View solution in original post

Silah
Path Finder

Beautiful. Thank you, this worked and now I understand how to pass the time in when it gets stripped out earlier.

0 Karma

glc_slash_it
Path Finder

That is because timechart command requires to have the _time field, and you are removing it with the first stats command.

Try this:

[My search here]
| stats
earliest(eval(if(eventType="BEGIN",_time,""))) AS Begin_time
latest(eval(if(eventType="END",_time,""))) AS End_time
BY UUID processName
| eval ResponseTime=End_time-Begin_time
| eval _time = Begin_time
| timechart span=10m avg(ResponseTime) by processName
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...