Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Turns stats into timechart with avg
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I asked in a previous thread for help to get response time based on time differential between two events connected by a UUID (Solved: Re: Measuring time difference between 2 entries - Splunk Community) which is working perfectly.
I turned that into an average response time grouped by a particular transaction type (processName) and thats working fine as well, but I would very much like to use this as a timechart - but I can't seem to get it working.
From what I understand, the fact that I am using Stats stripts out the _time which the timechart uses, but I am not sure how to work around that.
My query goes as follows:
[My search here]
| stats
earliest(eval(if(eventType="BEGIN",_time,""))) AS Begin_time
latest(eval(if(eventType="END",_time,""))) AS End_time
BY UUID processName
| eval ResponseTime=End_time-Begin_time
| stats avg(ResponseTime) by processNameI've tried a number of things that didn't work, including changing stats to:
| timechart span=10m Avg(ResponseTime) by processNameWhile this did perform a search, it generated no result whatsoever. Won't bore everyone with my multiple failures.
My query gives me basically
| ProcessName | Avg(Response_time) |
| Process1 | 0.5 |
| Process2 | 0.6 |
| Process3 | 0.7 |
My goal is to get this as a time chart visualization with a span of 10 mins.
Any suggestions ?
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That is because timechart command requires to have the _time field, and you are removing it with the first stats command.
Try this:
[My search here]
| stats
earliest(eval(if(eventType="BEGIN",_time,""))) AS Begin_time
latest(eval(if(eventType="END",_time,""))) AS End_time
BY UUID processName
| eval ResponseTime=End_time-Begin_time
| eval _time = Begin_time
| timechart span=10m avg(ResponseTime) by processName- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Beautiful. Thank you, this worked and now I understand how to pass the time in when it gets stripped out earlier.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That is because timechart command requires to have the _time field, and you are removing it with the first stats command.
Try this:
[My search here]
| stats
earliest(eval(if(eventType="BEGIN",_time,""))) AS Begin_time
latest(eval(if(eventType="END",_time,""))) AS End_time
BY UUID processName
| eval ResponseTime=End_time-Begin_time
| eval _time = Begin_time
| timechart span=10m avg(ResponseTime) by processName
CX Day is Coming!
Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!
Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console
