Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to create a report on the hourly count, min, max, and avg of certain strings found in my log file?

runiyal
Path Finder
‎10-13-2015 09:17 AM

In my log file, I have lot of messages saying upload or search got completed in x seconds. Like:

Upload executed in x seconds
Search completed in x seconds

We need a report that tells us the total count on an hourly basis, but with it, it should also calculate Min/Max/Avg time (second) spent for each of that operation. Result should be like:

Activity Count Min Max Avg
Upload

Search

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎10-13-2015 09:42 AM

Try something like this (runs for last hour, check the field extraction as per your actual log)

your base search earliest=-1h@h latest=@h | rex field=_raw "(?<Activity>\w+)\s(executed|completed) in (?<duration>\d+) seconds" | stats count as Count min(duration) as Min max(duration) as Max avg(duration) as Avg by Activity

View solution in original post

0 Karma
Reply
Solved! Jump to solution

rphillips_splk
Splunk Employee
Splunk Employee
‎10-13-2015 10:20 AM 
<form>
  <label>sample dash for runiyal</label>
  <fieldset submitButton="false">
    <input type="time">
      <label></label>
      <default>
        <earliest>-24h@h</earliest>
          <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>Stats of Activity</title>
      <chart>
        <search>
          <query>source=*test.log | rex field=_raw "(?<Activity>\w+)(\s+executed in|\s+completed in)\s+(?<seconds>\w+)\s+seconds"  | timechart span=1h avg(seconds) as avg_sec  min(seconds) as min_sec max(seconds) as max_sec by Activity</query>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">line</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.placement">right</option>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <title>Count of Activity</title>
      <chart>
        <search>
          <query>source=*test.log | rex field=_raw "(?<Activity>\w+)(\s+executed in|\s+completed in)\s+(?<seconds>\w+)\s+seconds"  | timechart span=1h count by Activity usenull=f</query>

        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">column</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.placement">right</option>
      </chart>
    </panel>
  </row>
</form>
0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎10-13-2015 09:42 AM

Try something like this (runs for last hour, check the field extraction as per your actual log)

your base search earliest=-1h@h latest=@h | rex field=_raw "(?<Activity>\w+)\s(executed|completed) in (?<duration>\d+) seconds" | stats count as Count min(duration) as Min max(duration) as Max avg(duration) as Avg by Activity
0 Karma
Reply
Solved! Jump to solution

runiyal
Path Finder
‎10-23-2015 08:41 AM

Hello,

Logfile got updated so that we get the dureation in milliseconds. So now the log file shows -

Search Completed successfully in 0.698 seconds
Upload Completed successfully in 2.529 seconds

How to incorporate this in the report?

Thanks!

0 Karma
Reply
Solved! Jump to solution

runiyal
Path Finder
‎10-13-2015 10:06 AM

Thanks a lot. It helped!

One more thought - What if I need to have the count and Min/Max/Avg for each hour for a day?

Thanks in advance!

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...