Splunk Search

Outlook Launch Time query issue

MartinMcNutt
Communicator

We are currently using Event 45 to calculate the average load for Outlook: Microsoft KB & Sample Data

What we have for a search is this using Splunk 6:

index=win_desk EventCode=45 sourcetype="WinEventLog:Application" SourceName=Outlook | rex field=_raw "Boot Time \(Milliseconds\)\: (?<BootTime_ms>\d+)" max_match=0   | streamstats sum(BootTime_ms) as Evt_sum_BootTime window=1 | eval Evt_BootTime_sec = Evt_sum_BootTime / 1000 | bucket _time span=1d  | stats avg(Evt_BootTime_sec) by _time

When I run this search for the following days (10/1/13 12:00:00.000 am to 10/6/13 12:00:00.000 am) I come up with the following results:

_time                avg(Evt_BootTime_sec)
2013-10-01           24.834010
2013-10-02           7.831655
2013-10-03           7.796068
2013-10-04           4.842439
2013-10-05           4.59200

So far it all looks good! The problem seems to be when we adjust the the time frame to 30 days. My results go crazy!

10/1/13 12:00:00.000 AM to 11/1/13 12:00:00.000 AM
_time   avg(Evt_BootTime_sec)
2013-10-01   772.931010
2013-10-02   755.928655
2013-10-03   755.893068
2013-10-04   752.939439
2013-10-05   752.689000
2013-10-06   756.884800
2013-10-07   719.525329
2013-10-08   687.182311

As you can see in the data10/1/2013 has jumped from 24 seconds to 12 Minutes by just changing the date range. The goal is to track our progress month by month showing a steady progress downwards in a chart.

What am I doing wrong here?

Tags (2)
0 Karma

jackdenial
New Member

I am getting the same problem with my Outlook account when I tried to launch time on my outlook, then an error message is generating that is “Outlook launch time query issue”. Can anyone tell me the solution? I have Forgotten Outlook Password then I resolved this issue from this link https://www.outlooktechnicalsupportnumbers.com/
,

0 Karma

MartinMcNutt
Communicator

The rex is left over from the 5X Splunk servers.

0 Karma

dstaulcu
Builder

We discovered that log data about outlook a few weeks ago. very cool. For our instance of Splunk which is also version 6 the boot time field for add-ins auto-discovered. Is the value not getting extracted by default for you? Did you find something wrong with it which led you to regex extraction? I'll check to see whether I cam getting similar variation over time

0 Karma

lguinn2
Legend

This is because your streamstats are accumulated over more than one day now. I don't think you need the streamstats at all. If you want the average daily load calculated over the last X days, you could do this

index=win_desk EventCode=45 sourcetype="WinEventLog:Application" SourceName=Outlook 
| rex field=_raw "Boot Time \(Milliseconds\)\: (?<BootTime_ms>\d+)" max_match=0   
| eval Evt_BootTime_sec = Evt_sum_BootTime / 1000 
| bucket _time span=1d
| stats avg(Evt_BootTime_sec) by _time
0 Karma

lguinn2
Legend

Ah, that's a pretty brilliant use of streamstats

But I think that something must be wrong with your event parsing if you are getting multiple BootTimes in a single event.

Looking forward to seeing your final search...

0 Karma

MartinMcNutt
Communicator

I tried your approached but BootTime is auto discovered as a Multivalue field. Streamstats is doing exactly what is required and summing the time for each record.

The really odd thing about this is it works perfectly against a single indexer where it was originally created. When we execute against our new cluster it is fails with the bad values.

Thanks for the help anyways. I am going to see if Splunk can give us a hand with this and I will post the final search when it is done.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...