Splunk Search

timechart with range (_time) not working

Engager

I have created two event types from logs to capture messaging events received and processed, having same contextId; from which I am trying to chart the duration of time taken to process an message by contextId. But the time is in milliseconds which does not work with timechart and it displays zero.

I tried the following
1. eventtype="Message Received" OR eventtype="Message processed" | timechart span=30mins range(time) by contextId WHERE max in top10
2. eventtype="Message Received" OR eventtype="Message processed" | transaction range(
time) as duration by contextId | chart range(time) by contextId
3. eventtype="Message Received" OR eventtype="Message processed" | timechart span=30mins range(
time) by contextId WHERE max in top10 | convert ctime(_time)

what is working,

  1. eventtype="Message Received" OR eventtype="Message processed" | stats range(_time) as durationms by contextId | eval duration = durationms/1000 - But not want eval column and also want to bucket in every hour

But actually requirement is timechart top 50 message processing events (contextIds) which has taken more than 1 sec in milliseconds in every hour.

My observation is, stats and transactions do not work in range(evaled fields). Neither bucket produces correct result. If I bucket range function for 30 mins it results the _time as 1800 secs

0 Karma
1 Solution

Motivator

Hi@hariatsplunk,

You can try the query below:

eventtype="Message Received" OR eventtype="Message processed" | convert timeformat="%m/%d/%Y,%H:%M:%S.%3N" ctime(_time) AS c_time | eval time=strptime(c_time, "%m/%d/%Y,%H:%M:%S.%3N") | stats range(time) as time by contextid| eval time=round(time*1000) | where time>1000 | sort - time limit=50

Let me know if this helps!!!!

View solution in original post

Motivator

Hi@hariatsplunk,

You can try the query below:

eventtype="Message Received" OR eventtype="Message processed" | convert timeformat="%m/%d/%Y,%H:%M:%S.%3N" ctime(_time) AS c_time | eval time=strptime(c_time, "%m/%d/%Y,%H:%M:%S.%3N") | stats range(time) as time by contextid| eval time=round(time*1000) | where time>1000 | sort - time limit=50

Let me know if this helps!!!!

View solution in original post

Engager

Thanks. It works perfectly. Additionally can this be bucketed for every hour? I ask this cause a range can extend over another bucket in which case how will the contextId placed ?

0 Karma

Motivator

Hi,

You can try dis:
eventtype="Message Received" OR eventtype="Message processed" | convert timeformat="%m/%d/%Y,%H:%M:%S.%3N" ctime(time) AS ctime | eval time=strptime(c_time, "%m/%d/%Y,%H:%M:%S.%3N") |bin _time span=60m| stats range(time) as time by contextid| eval time=round(time*1000) | where time>1000 | sort - time limit=50

Hope this helps!!