Solved: how to create chart for time on X axis and filed o...

saisree · ‎03-28-2015

This is my data.. now i want to take chart for time vs each command .. if it is possible have to show duration between start and end time of each command.. plz help me ..

03-25-2015 03:04:31.189, cmd_name=cmd1(Start_time_of_if)
03-25-2015 03:09:31.189, cmd_name=cmd1(end_time_of_if)

03-25-2015 03:12:31.189, cmd_name=cmd2(Start_time_of_if)
03-25-2015 03:17:31.189, cmd_name=cmd2(end_time_of_if)
03-25-2015 03:20:31.189, cmd_name=cmd3(Start_time_of_grep)
03-25-2015 03:24:31.189, cmd_name=cmd3(end_time_of_grep)
03-25-2015 03:27:31.189, cmd_name=cmd4(Start_time_of_if)
03-25-2015 03:32:31.189, cmd_name=cmd4(end_time_of_if)
03-25-2015 03:38:31.189, cmd_name=cmd5(Start_time_of_sed_command)
03-25-2015 03:42:31.189, cmd_name=cmd5(end_time_of_sed_command)
03-25-2015 03:49:31.189, cmd_name=cmd6(Start_time_of_if)
03-25-2015 03:55:31.189, cmd_name=cmd6(End_time_of_if)

Thank u

esix_splunk · ‎03-28-2015

I would use the transaction command. That will give you a duration.

First would be to confirm that the cmd_name is extracted. If not, I'd extract this..

..main search .. | rex field=_raw "cmd_name\=\(?<cmd_name>[^\)]+)\)"

After you run that, you should see cmd_name is extracted as cmd1,cmd2, etc.

Then add transaction to that..

..main search .. | rex field=_raw "cmd_name\=\(?<cmd_name>[^\)]+)\)"  | transaction cmd_name beginswith="Start_time" endswith="end_time"

That should give you a per cmd_name transaction. Check the duration fields. You can perform your timechart or stats off of that...

 ..main search .. | rex field=_raw "cmd_name\=\(?<cmd_name>[^\)]+)\)"  | transaction cmd_name beginswith="Start_time" endswith="end_time" | timechart count by duration

http://docs.splunk.com/Documentation/Splunk/6.2.2/SearchReference/Transaction

View solution in original post

esix_splunk · ‎03-28-2015

I would use the transaction command. That will give you a duration.

First would be to confirm that the cmd_name is extracted. If not, I'd extract this..

..main search .. | rex field=_raw "cmd_name\=\(?<cmd_name>[^\)]+)\)"

After you run that, you should see cmd_name is extracted as cmd1,cmd2, etc.

Then add transaction to that..

..main search .. | rex field=_raw "cmd_name\=\(?<cmd_name>[^\)]+)\)"  | transaction cmd_name beginswith="Start_time" endswith="end_time"

That should give you a per cmd_name transaction. Check the duration fields. You can perform your timechart or stats off of that...

 ..main search .. | rex field=_raw "cmd_name\=\(?<cmd_name>[^\)]+)\)"  | transaction cmd_name beginswith="Start_time" endswith="end_time" | timechart count by duration

http://docs.splunk.com/Documentation/Splunk/6.2.2/SearchReference/Transaction

saisree · ‎03-28-2015

Thank u for u respond sir.. but i am trying to run rex command its showing like Regex: unmatched parentheses
will u help out of this plz

Thank u

esix_splunk · ‎03-29-2015

Did you resolve the parenthesis error? Cut and paste might have missed a character.

saisree · ‎03-29-2015

yes i solved it .. but when i am running whole command its showing no resluts ....I tried a lot but i am not getting sir

esix_splunk · ‎03-29-2015

Can you paste your full search into here. And be sure to use the quotes field.

vasavigangana · ‎03-29-2015

source="all_option_to_tmp" | rex field=_raw "cmd_name=\(?[^)]+))" | transaction cmd_name startswith="Start_time" endswith="end_time" | timechart count by duration

saisree · ‎03-29-2015

pls consider the following search

source="all_option_to_tmp" | rex field=_raw "cmd_name=(?[^]+))" | transaction cmd_name startswith="Start_time" endswith="end_time" |timechart count by duration

how to create chart for time on X axis and filed on Y axis... pls help am new to splunk and it is very important pls

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

Logs to Metrics

Developer Spotlight with Paul Stout