Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

create lagtime panel with average time between two string value datetime fields

jdepp
Path Finder
‎05-02-2014 06:10 AM

I have two datetime fields that I would like to use to calculate average lagtime as each message coming contains these fields. I would like to display some sort of panel showing this in seconds.

pubDate:"2014-04-30 11:27:49"   scrapeDate:"2014-04-30 11:27:53"

any help appreciated.

Tags (2)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎05-02-2014 06:52 AM 
... | eval pubDate="2014-04-30 11:27:49" | eval scrapeDate="2014-04-30 11:27:53" | eval ipubDate=strptime(pubDate, "%Y-%m-%d %H:%M:%S") | eval iscrapeDate=strptime(scrapeDate, "%Y-%m-%d %H:%M:%S") | eval lagtime=round(iscrapeDate-ipubDate,0) | table pubDate, scrapeDate, lagtime
---
If this reply helps you, Karma would be appreciated.
Reply

richgalloway
SplunkTrust
SplunkTrust
‎05-14-2014 08:21 AM

Try this:

sourcetype="data.newIndex.stats" | eval ipubDate=strptime(pubDate, "%Y-%m-%d %H:%M:%S") | eval iscrapeDate=strptime(scrapeDate, "%Y-%m-%d %H:%M:%S") | eval lagtime=round(iscrapeDate-ipubDate,0) | chart max(lagtime)
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

jdepp
Path Finder
‎05-13-2014 03:35 PM

I tried the following:
search sourcetype="data.newIndex.stats" | eval ipubDate=strptime(pubDate, "%Y-%m-%d %H:%M:%S") | eval iscrapeDate=strptime(scrapeDate, "%Y-%m-%d %H:%M:%S") | eval lagtime=round(iscrapeDate-ipubDate,0) | table pubDate, scrapeDate, lagtime

I used a dial gauge on my panel but get the following message:
These results may be truncated. This visualization is configured to display a maximum of 1000 results per series, and that limit h

I would like the above query to only return the max result

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!

What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...

Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

A Prelude to .conf25: Your Guide to Splunk University

Heading to Boston this September for .conf25? Get a jumpstart by arriving a few days early for Splunk ...