Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Turns stats into timechart with avg
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I asked in a previous thread for help to get response time based on time differential between two events connected by a UUID (Solved: Re: Measuring time difference between 2 entries - Splunk Community) which is working perfectly.
I turned that into an average response time grouped by a particular transaction type (processName) and thats working fine as well, but I would very much like to use this as a timechart - but I can't seem to get it working.
From what I understand, the fact that I am using Stats stripts out the _time which the timechart uses, but I am not sure how to work around that.
My query goes as follows:
[My search here]
| stats
earliest(eval(if(eventType="BEGIN",_time,""))) AS Begin_time
latest(eval(if(eventType="END",_time,""))) AS End_time
BY UUID processName
| eval ResponseTime=End_time-Begin_time
| stats avg(ResponseTime) by processNameI've tried a number of things that didn't work, including changing stats to:
| timechart span=10m Avg(ResponseTime) by processNameWhile this did perform a search, it generated no result whatsoever. Won't bore everyone with my multiple failures.
My query gives me basically
| ProcessName | Avg(Response_time) |
| Process1 | 0.5 |
| Process2 | 0.6 |
| Process3 | 0.7 |
My goal is to get this as a time chart visualization with a span of 10 mins.
Any suggestions ?
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That is because timechart command requires to have the _time field, and you are removing it with the first stats command.
Try this:
[My search here]
| stats
earliest(eval(if(eventType="BEGIN",_time,""))) AS Begin_time
latest(eval(if(eventType="END",_time,""))) AS End_time
BY UUID processName
| eval ResponseTime=End_time-Begin_time
| eval _time = Begin_time
| timechart span=10m avg(ResponseTime) by processName- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Beautiful. Thank you, this worked and now I understand how to pass the time in when it gets stripped out earlier.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That is because timechart command requires to have the _time field, and you are removing it with the first stats command.
Try this:
[My search here]
| stats
earliest(eval(if(eventType="BEGIN",_time,""))) AS Begin_time
latest(eval(if(eventType="END",_time,""))) AS End_time
BY UUID processName
| eval ResponseTime=End_time-Begin_time
| eval _time = Begin_time
| timechart span=10m avg(ResponseTime) by processName
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass
May 2026 Splunk Expert Sessions: Security & Observability
