Splunk Search

Timechart for three different actions : Browse, View, Download

splunkman341
Communicator

Hi guys,

So I have a query which displays elapsedTime values for three different actions which are browse, view, and download. I am wondering if it possible to display this information into a timechart, where the x-axis displays the date by day and the y-axis displays the value. Here is the query I am trying to make the timechart out of

index=doccloud_main sourcetype=doccloud_sb | rex "(?P<service>EmployeeDocumentServicesImp[l]?\.getDocument(?:PDF)?|EmployeeDocumentServicesImp[l]?\.listDocuments)\(.* Elapsed time:\s+-\s\[(?P<elapsedTime>[\d\.]+)\]" | timechart values(elapsedTime) by service

Thanks in advance for your help

Tags (1)
0 Karma
1 Solution

woodcock
Esteemed Legend

Based on clarifications in your comments, I think what you are trying to do is this:

index=doccloud_main sourcetype=doccloud_sb | rex "(?P<service>EmployeeDocumentServicesImp[l]?\.getDocument(?:PDF)?|EmployeeDocumentServicesImp[l]?\.listDocuments)\(.* Elapsed time:\s+-\s\[(?P<elapsedTime>[\d\.]+)\]" | bucket _time span=1d | stats values(elapsedTime) by _time service

View solution in original post

woodcock
Esteemed Legend

Based on clarifications in your comments, I think what you are trying to do is this:

index=doccloud_main sourcetype=doccloud_sb | rex "(?P<service>EmployeeDocumentServicesImp[l]?\.getDocument(?:PDF)?|EmployeeDocumentServicesImp[l]?\.listDocuments)\(.* Elapsed time:\s+-\s\[(?P<elapsedTime>[\d\.]+)\]" | bucket _time span=1d | stats values(elapsedTime) by _time service

martin_mueller
SplunkTrust
SplunkTrust

Using values(field) in a timechart doesn't make sense, you need some aggregation to get down to a single number for each cell / data point. For example, you could use avg(field) or sum(field).

woodcock
Esteemed Legend

It looks like your RegEx is bad so that either service or elapsedTime does not exist so no data is returned. What does this return?

index=doccloud_main sourcetype=doccloud_sb | rex "(?P<service>EmployeeDocumentServicesImp[l]?\.getDocument(?:PDF)?|EmployeeDocumentServicesImp[l]?\.listDocuments)\(.* Elapsed time:\s+-\s\[(?P<elapsedTime>[\d\.]+)\]" | table *

splunkman341
Communicator

That does not display any information either, and says "Your search generated too much data for the current visualization configuration".

In the statistics tab, it displays alot more information as well that I do not need.

0 Karma

woodcock
Esteemed Legend

OK, does this show your 2 fields?

index=doccloud_main sourcetype=doccloud_sb | rex "(?P<service>EmployeeDocumentServicesImp[l]?\.getDocument(?:PDF)?|EmployeeDocumentServicesImp[l]?\.listDocuments)\(.* Elapsed time:\s+-\s\[(?P<elapsedTime>[\d\.]+)\]" | table service elapsedTime

splunkman341
Communicator

That does not display anything and gives the message "This visualization is configured to display a maximum of 1000 results per series, and that limit has been reached."

I have three fields I need to display with their corresponding elapsedTimes which are :

-EmployeeDocumentServicesImp.getDocument

-EmployeeDocumentServicesImp.getDocumentPDF

--EmployeeDocumentServicesImp.listDocuments

0 Karma

woodcock
Esteemed Legend

You need to go all the way back to the beginning, show sample data, describe what fields are currently being extracted and maybe we can get somewhere.

splunkman341
Communicator

Hi woodcock. I was wondering if you were able to view my link

0 Karma

woodcock
Esteemed Legend

I do not understand; you have an accepted answer to that question and @martin_muleller has the correct answer for this question. Do you understand what he said?

splunkman341
Communicator

I do but that is not what I want. I do not want the sum or average of each elapsedTime; I want to display each elapsedTime for each document action day by day.

0 Karma

splunkman341
Communicator

Please see this link as a reference to what exactly I am trying to accomplish.

https://answers.splunk.com/answers/235496/how-to-search-for-three-different-actions-browse-v.html

0 Karma

woodcock
Esteemed Legend

I do not understand; that query looks good as-is (except that maybe you need a span=1m or something to deviate from the default). Does your search not produce a chart when you click on the visualization tab?

splunkman341
Communicator

No it does not, it displays an empty chart.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...