I am using the below query to create a timechart.
sourcetype=xxx AND source = "xxxx" | rex "Operation:(?[A-Z]*)" | rex "\[Tx.*\]:\[(?.*)\]:" | transaction TransactionId | timechart avg(duration) by Operation
There are only two possible values for Operation: GetToken, SetToken
But in the result, I am seeing 3 columns ( 3 lines in the timechart)
GetToken
SetToken
VALUE (average of GetToken, SetToken for each row)
Why does this VALUE column comes in ? It didnt happen in other queries. What am I doing wrong ?
I am not sure what the second rex is doing here but the usual splunk syntax for field extraction contains a FIELDNAME as follows:
sourcetype=xxx AND source = "xxxx" | rex "Operation:(?<Operation>[A-Z]*)" | rex "\[Tx.*\]:\[(?<someotherfieldname>.*)\]:" | transaction TransactionId | timechart avg(duration) by Operation
Perhaps I am just unfamiliar with your extraction syntax.
I am not sure what the second rex is doing here but the usual splunk syntax for field extraction contains a FIELDNAME as follows:
sourcetype=xxx AND source = "xxxx" | rex "Operation:(?<Operation>[A-Z]*)" | rex "\[Tx.*\]:\[(?<someotherfieldname>.*)\]:" | transaction TransactionId | timechart avg(duration) by Operation
Perhaps I am just unfamiliar with your extraction syntax.
Yeah. I pasted the query wrongly. Second one is the Transaction Id. This is to group the events.
sourcetype=xxx AND source = "xxxx" | rex "Operation:(?[A-Z])" | rex "[Tx.]:[(?.*)]:" | transaction TransactionId | timechart avg(duration) by Operation
Have you looked at your results after each step in your search pipeline to verify that both extractions and the transaction command are working as expected?
Yeah. In fact there are not many steps.
What I am trying to achieve is, a time chart on average(duration) for each operation. In the end result, I get 3 lines in the chart.
1. GetToken
2. SetToken
3. VALUE ( Where does this come from ??)
Yes, understood, to me it sounds like your Operation extraction rex is getting an unexpected value. Do you only see two values for that field if you remove the timechart command.
Sorry for the late reply. You were right.. Thanks.