Splunk Search

Plotting duration on chart

ChhayaV
Communicator

hi,

I want to show time taken by a process to complete in seconds on time chart.

sample log entries

4432 [e0] INFO 2013-04-18 05:58:46.764 TM1.Process Process "TI_1" executed by user "Admin"

4432 [e0] INFO 2013-04-18 05:58:55.796 TM1.Process Process "TI_1": finished executing normally, elapsed time 9.02 seconds

4432 [e0] INFO 2013-04-18 06:01:45.400 TM1.Process Process "TI_1" executed by user "Admin"

4432 [e0] INFO 2013-04-18 06:01:55.243 TM1.Process Process "TI_1": finished executing normally, elapsed time 9.84 seconds

4432 [e0] INFO 2013-04-18 06:02:26.038 TM1.Process Process "TI_1" executed by user "Admin"

4432 [e0] INFO 2013-04-18 06:02:28.627 TM1.Process Process "TI_1": finished executing normally, elapsed time 2.59 seconds

Example values of duration from above log entries are 9.02 seconds and 9.84 seconds etc. We want plot these values on chart

Thanks

0 Karma

zeroactive
Path Finder

Two ways to do this:

Easiest way would be to just search for lines that contain the "elapsed time" value in it and chart those values. You can extract the elapsed time with a regular expression:

"finished executing normally" | rex field=_raw "elapsed time (?<myduration>.*\s)seconds " | chart avg(myduration)

If you have multiple process names, you could extract the process name into a field as well and add that into your chart:

"finished executing normally" | rex field=_raw "Process (?<processName>\w+)" | rex field=_raw "elapsed time (?.*\s)seconds " | chart avg(myDuration) by processName

Of course, use "timechart" instead of "chart" if you want to see the distribution of durations over time. Also. "timechart" does not require the use of a statistical function, but as Ayn points out if you have multiple events occuring during a given time slice on that you will still need to use a stat function.

Probably your best bet on this type of data is to use "table" instead of "chart" or "timechart".

0 Karma

ChhayaV
Communicator

ok so there is no way to plot a chart in a way i want?

0 Karma

Ayn
Legend

I insist on that you do need it. Otherwise timechart would have no idea of how to handle multiple values in a timeslice.

ChhayaV
Communicator

i want to plot time taken by a particular process to complete on chart.if elapsed time is 0.03 seconds this means process took 3 seconds to complete that i want to show with process name.And is it necessary to use function with time chart can i not use something like timechart myduration by Processname?

0 Karma

ChhayaV
Communicator

hi
How can i show process names also | table table _time myduration working fine but i need to show process name also

0 Karma

ChhayaV
Communicator

hi i am not able to match the process which are having name as "}Drill_Sales_Drill"

I matched all the process which are like "TI_1"

any suggestion?

0 Karma

Ayn
Legend

No, chart needs a statistical function as an argument so you can't just give it a field straight away like that. Also I imagine the poster wants to plot these over time. You could achieve this by skipping the chart commands and using | table _time myduration at the end.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...