Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

how to get a time chart for the queuedepth for a given queue name

dhirajsir
New Member
‎08-09-2019 02:24 AM

I need to get a timechart for the data define by the search query

sourcetype=bsgmc tranStatus="'ENTER'" | stats count as incomingcount by queueName | table queueName incomingcount | appendcols [search sourcetype=bsgmc tranStatus="'EXIT'" | stats count as outgoingcount by queueName | table outgoingcount] | eval QueueDepth=incomingcount-outgoingcount | table queueName QueueDepth

Data is in this format :
'10'
'ENTER'
tranId='10'
eventEndTs='Fri Aug 09 00:52:53 PDT 2019'}
queueName='FRAUD'
eventStartTs='Fri Aug 09 00:52:53 PDT 2019'
tranStatus='ENTER'

tried the following but not getting the results
sourcetype=bsgmc tranStatus="'ENTER'" | stats count as incomingcount by queueName | table queueName incomingcount | appendcols [search sourcetype=bsgmc tranStatus="'EXIT'" | stats count as outgoingcount by queueName | table outgoingcount] | eval QueueDepth=incomingcount-outgoingcount | table queueName QueueDepth | timechart count(QueueDepth) by queueName

0 Karma
Reply

adonio
Ultra Champion
‎08-09-2019 05:24 AM

maybe try something like that:

  index=<YOUR_INDEX> sourcetype=bsgmc (tranStatus="'ENTER'" OR tranStatus="EXIT") | timechart count(eval(tranStatus="ENTER")) as incomingcount  timechart count(eval(tranStatus="EXIT")) as outgoingcount by queueName  usenull=false

hope it helps

0 Karma
Reply

dhirajsir
New Member
‎08-14-2019 02:12 PM

No luck with query
Error in 'timechart' command: The specifier 'timechart' is invalid. It must be in form (). For example: max(size).

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...