- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Why my timechart is giving an additional column ca...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am using the below query to create a timechart.
sourcetype=xxx AND source = "xxxx" | rex "Operation:(?[A-Z]*)" | rex "\[Tx.*\]:\[(?.*)\]:" | transaction TransactionId | timechart avg(duration) by Operation
There are only two possible values for Operation: GetToken, SetToken
But in the result, I am seeing 3 columns ( 3 lines in the timechart)
GetToken
SetToken
VALUE (average of GetToken, SetToken for each row)
Why does this VALUE column comes in ? It didnt happen in other queries. What am I doing wrong ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am not sure what the second rex is doing here but the usual splunk syntax for field extraction contains a FIELDNAME as follows:
sourcetype=xxx AND source = "xxxx" | rex "Operation:(?<Operation>[A-Z]*)" | rex "\[Tx.*\]:\[(?<someotherfieldname>.*)\]:" | transaction TransactionId | timechart avg(duration) by Operation
Perhaps I am just unfamiliar with your extraction syntax.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am not sure what the second rex is doing here but the usual splunk syntax for field extraction contains a FIELDNAME as follows:
sourcetype=xxx AND source = "xxxx" | rex "Operation:(?<Operation>[A-Z]*)" | rex "\[Tx.*\]:\[(?<someotherfieldname>.*)\]:" | transaction TransactionId | timechart avg(duration) by Operation
Perhaps I am just unfamiliar with your extraction syntax.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yeah. I pasted the query wrongly. Second one is the Transaction Id. This is to group the events.
sourcetype=xxx AND source = "xxxx" | rex "Operation:(?[A-Z])" | rex "[Tx.]:[(?.*)]:" | transaction TransactionId | timechart avg(duration) by Operation
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you looked at your results after each step in your search pipeline to verify that both extractions and the transaction command are working as expected?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yeah. In fact there are not many steps.
What I am trying to achieve is, a time chart on average(duration) for each operation. In the end result, I get 3 lines in the chart.
1. GetToken
2. SetToken
3. VALUE ( Where does this come from ??)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, understood, to me it sounds like your Operation extraction rex is getting an unexpected value. Do you only see two values for that field if you remove the timechart command.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry for the late reply. You were right.. Thanks.
Routing logs with Splunk OTel Collector for Kubernetes
Welcome to the Splunk Community!
Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM
