Splunk Search

how to get a time chart for the queuedepth for a given queue name

New Member

I need to get a timechart for the data define by the search query

sourcetype=bsgmc tranStatus="'ENTER'" | stats count as incomingcount by queueName | table queueName incomingcount | appendcols [search sourcetype=bsgmc tranStatus="'EXIT'" | stats count as outgoingcount by queueName | table outgoingcount] | eval QueueDepth=incomingcount-outgoingcount | table queueName QueueDepth

Data is in this format :
'10'
'ENTER'
tranId='10'
eventEndTs='Fri Aug 09 00:52:53 PDT 2019'}
queueName='FRAUD'
eventStartTs='Fri Aug 09 00:52:53 PDT 2019'
tranStatus='ENTER'

tried the following but not getting the results
sourcetype=bsgmc tranStatus="'ENTER'" | stats count as incomingcount by queueName | table queueName incomingcount | appendcols [search sourcetype=bsgmc tranStatus="'EXIT'" | stats count as outgoingcount by queueName | table outgoingcount] | eval QueueDepth=incomingcount-outgoingcount | table queueName QueueDepth | timechart count(QueueDepth) by queueName

0 Karma

SplunkTrust
SplunkTrust

maybe try something like that:

  index=<YOUR_INDEX> sourcetype=bsgmc (tranStatus="'ENTER'" OR tranStatus="EXIT") | timechart count(eval(tranStatus="ENTER")) as incomingcount  timechart count(eval(tranStatus="EXIT")) as outgoingcount by queueName  usenull=false

hope it helps

0 Karma

New Member

No luck with query
Error in 'timechart' command: The specifier 'timechart' is invalid. It must be in form (). For example: max(size).

0 Karma