Hi,
Please find the below XML file:
For this file I need a query to retrieve the values for
1.
Start time for the request i.e. where the cmd start is mentioned.
quit time for the request i.e. where the cmd quit is mentioned.
difference between the start and quit time for request.
Let me know if you need any more information.
Regards,
Sushma.
As a first step, make sure your XML is indexed as one entry tag per event with the log_time value used as Splunk timestamp.
Once you've done that, using the spath
command will create fields like entry.lstnconnaddr
, entry.cliconnaddr
, and so on - you can use those as you normally would use fields.
You could for example append this:
... | timechart avg(diff)
That'll produce a chart with the average diff value over time... no idea whether that's what you are looking for or not, there are endless numbers of different statistics you could want.
Any type of graph like bar, line or pie etc.
I mean to say I want to generate a graph out of it, i think modifying the query a bit may help out. Is it not?
What kind of statistics are you looking for?
Yeah ok that worked out for me, but this query does not generate any statistical graph for me, is there a way to modify the query a bit so that i could be able to generate the query?
Not quite, the "duration"
keyword is important for the tostring()
function. See http://docs.splunk.com/Documentation/Splunk/6.0.2/SearchReference/CommonEvalFunctions for reference.
so just replace eval move_time=strftime(diff, "%H:%M:%S.%3Q") with eval move_time = tostring(diff, "%H:%M:%S.%3Q"). Is that right?
For displaying the time I recommend not using strftime()
. That expects an epoch timestamp, ie seconds since January 1st, 1970 UTC. I assume you're on UTC-4 (EDT?), which shows an epoch value of 6 as four hours before midnight (plus 6 seconds) and drops the December 31st, 1969 due to the strftime()
format.
Instead, use Splunk's duration converter:
... | eval end_time = strptime(...) | eval start_time = strptime(...) | eval diff = ... | eval move_time = tostring(diff, "duration")
eval end_time=strptime(move_end,"%Y-%m-%d %H:%M:%S.%3Q") | eval start_time=strptime(move_file_start,"%Y-%m-%d %H:%M:%S.%3Q") | eval diff=end_time-start_time | eval move_time=strftime(diff, "%H:%M:%S.%3Q").. Please see this query and correct me
Ok, i wrote a query to calculate the difference between start and end time. In my XML file the start time is 19:42:48:305 and end time is 19:42:42:080, so the actual difference between them should be 00:00:06:225, but it is showing me as 20:00:06:225, why is it happening so?
I knew that we have to use spath so as to retrieve the xml values, but I am not clear as how to use in case of my above requirement.
Look into using the spath command.