Hello,
I have log messages that look like this:
Handled MessageTypeA in 10ms
Handled MessageTypeB in 23ms
Handled MessageTypeA in 5ms
Handled MessageTypeB in 27ms
I would like a line chart that shows me how long the messages are taking to process by each message type.
i.e. there would be 2 lines on the chart, one for MessageTypeA between values 10 and 5, and one for MessageTypeB between values 23 and 27.
This was my attempt:
{my search}| rex field=_raw "Handled (?\S*) in (?\d+)"| timechart list(time) by msg
It seems to plot something, but not anything relating to the data I've got.
You are part of the way there. Try this for a better and more "accurate" chart.
{my search}| rex field=_raw "Handled (?<msg>\S*) in (?<time>\d+)" | timechart avg(time) by msg
max(), min(), etc... all the timechart functions are available there. Indeed, several at once, like
{my search}| rex field=_raw "Handled (?<msg>\S*) in (?<time>\d+)"
| timechart avg(time) as Average, max(time) as Maximum min(time) as Minimum by msg
Happy Splunking!
Rich
You are part of the way there. Try this for a better and more "accurate" chart.
{my search}| rex field=_raw "Handled (?<msg>\S*) in (?<time>\d+)" | timechart avg(time) by msg
max(), min(), etc... all the timechart functions are available there. Indeed, several at once, like
{my search}| rex field=_raw "Handled (?<msg>\S*) in (?<time>\d+)"
| timechart avg(time) as Average, max(time) as Maximum min(time) as Minimum by msg
Happy Splunking!
Rich
Thanks 🙂
That did it, but it's not drawing lines between the points for some reason.
Easy - that's in the chart formatting.
Click the Format button drop-down (top left of the chart),
In the "General" tab there's a way to handle "Null Values" Click the last of the three options to join them.
Ah, genius! Thanks 🙂