Splunk Search

Why is my timechart search WHERE duration > 8 not returning any data?

skoelpin
SplunkTrust
SplunkTrust

I have a lot of SOAP req/resp pairs and I was able to match them up and find the time between them (duration). I then input this searchand was returned back all of the unique identifiers (GUIDs) with a duration longer than 8 seconds. Now I want to chart this using Timechart, every time I try to do this, nothing will come up, even though a list of 100+ GUID's was present when I didn't have the Timechart command in there.

My original search which returned back rows of expected data in the 'Statistics' tab:

index=uv GUID="*" NOT "ERROR" | transaction GUID startswith="CalculateTaxRequest" endswith="CalculatetaxResponse"| TOP GUID by duration | WHERE duration>8

My unsuccessful Timechart search which returns back NO data:

index=uv GUID="*" NOT "ERROR" | transaction GUID startswith="CalculateTaxRequest" endswith="CalculatetaxResponse"| TOP GUID by duration | timechart list(duration) | WHERE duration>8
Tags (3)
0 Karma
1 Solution

skoelpin
SplunkTrust
SplunkTrust

I was finally able to get it with this query. i was unaware that Splunk has a built in Visualization editor which helped a lot

index=uv GUID1="*" NOT "ERROR"  | transaction GUID1 startswith="CalculateTaxRequest" endswith="CalculatetaxResponse" | where duration>8| timechart count by duration

View solution in original post

0 Karma

skoelpin
SplunkTrust
SplunkTrust

I was finally able to get it with this query. i was unaware that Splunk has a built in Visualization editor which helped a lot

index=uv GUID1="*" NOT "ERROR"  | transaction GUID1 startswith="CalculateTaxRequest" endswith="CalculatetaxResponse" | where duration>8| timechart count by duration
0 Karma

MuS
SplunkTrust
SplunkTrust

Hi skoelpin, have you tried to use the where clause directly with the timechart command like written in the docs http://docs.splunk.com/Documentation/Splunk/6.2.1/SearchReference/Timechart#Using_where_clauses ? Also, be aware that using the list() function creates a multi value field, whereas in the first search you're using single value fields for duration.

skoelpin
SplunkTrust
SplunkTrust

Also I think you may be correct with the list() function.. maybe I should be using a different function, any suggestions?

0 Karma

MuS
SplunkTrust
SplunkTrust

what is your intention using list maybe it helps if you tell us what you expect as result

0 Karma

skoelpin
SplunkTrust
SplunkTrust

The unique identifier (GUID) is tied to BOTH the request and response. So when a SOAP request is sent, it has a timestamp and on the response it also has a timestamp. The Transaction command groups these together so I have an output in the 'Statistics' tab which shows the GUID and total duration (time for each SOAP request to respond).

Duration                GUID

9.3387                  dsf234-sdf-234-dsf-344
11.234                  jhhbj-767-sdfds-sdfds
10.333                  dfds3-h33-hbh3-23jjkk

So I currently have this output with my first query, but now I want to make a timechart visually showing the duration. I've tried using count(duration), list(duration), and values(duration) with no luck

0 Karma

MuS
SplunkTrust
SplunkTrust

Okay, how about a different approach? This is un-tested, but why not try this:

index=uv GUID="*" NOT "ERROR" | stats earliest(_time) AS earliest_time latest(_time) AS latest_time by GUID, _time | eval Duration=latest_time-earliest_time | where Duration > 8 | stats count by GUID, Duration, _time TOP GUID | fields - count
0 Karma

skoelpin
SplunkTrust
SplunkTrust

I see what you did there but unfortunately did not work, I was finally able to get it and will post my solution below. Thanks for your help and time!
I appreciate it

0 Karma

sk314
Builder

Have you tried this:

 index=uv GUID="*" NOT "ERROR" | transaction GUID startswith="CalculateTaxRequest" endswith="CalculatetaxResponse"| table GUID  duration | WHERE duration > 8 | sort duration desc

Also, switch the tab to visualization and select "column" or "line"

(I know. Kind of tacky.)

0 Karma

skoelpin
SplunkTrust
SplunkTrust

This kind of worked but not exactly what I was looking for. Thanks for taking the time to help though!

0 Karma

skoelpin
SplunkTrust
SplunkTrust

Thanks for the response! I took out there where clause and still have the same problem. My original search (the first one listed in my question) will return back exactly what I'm looking for. But when I add timechart, nothing will appear so I'm not sure if it has anything to do with WHERE. Any other suggestions?

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...