I was trying to create a table like below.
We have a log with below fields,
[Date][PreciseTime][Pid][Tid][TransactionID][Function][SrcFile][Message]
[03/03/2017][07:51:25.098][31255][40510594][faasfa-214d1-ff23r-3f3r43r2-dqwr23][number::invoke][number.java][Leaving the nunber.]
TransactionID is the unique field here. Need to plat time frame like below 0-10ms, 10 -20 ms, 20-30 ms, ..... and display total count of transactions which fall under that time frame.
In the event example above, lets assume faasfa-214d1-ff23r-3f3r43r2-dqwr23(TransactionID) took 25ms it should fall under 20 -30 ms.
I tried something like this,
base search | bucket _time span=1s | timechart count by _time
I see we can go only till seconds in span can we go with milli seconds also here and achieve table like below
Transaction Time Count
10 ms - 20 ms 24
20 ms - 30 ms 95
30 ms - 40 ms 38
40 ms - 50 ms 114
50 ms - 60 ms 1512
60 ms - 70 ms 1075
70 ms - 80 ms 223
80 ms - 90 ms 51
90 ms - 100 ms 32
100 ms - 200 ms 62
200 ms - 300 ms 30
300 ms - 400 ms 23
400 ms - 500 ms 9
500 ms - 600 ms 4
600 ms - 700 ms 9
700 ms - 800 ms 21
800 ms - 900 ms 6
900 ms - 1 sec 3
you should be able to use milliseconds with span=10ms
but if you do a bucket/bin, you'll want to use chart
, not timechart
.
https://docs.splunk.com/Documentation/Splunk/6.5.2/SearchReference/Bin#Span_options
base search | bucket _time span=10ms | chart count by _time
OR
base search | timechart span=10ms count
you should be able to use milliseconds with span=10ms
but if you do a bucket/bin, you'll want to use chart
, not timechart
.
https://docs.splunk.com/Documentation/Splunk/6.5.2/SearchReference/Bin#Span_options
base search | bucket _time span=10ms | chart count by _time
OR
base search | timechart span=10ms count
Hi cmerriman,
Thank you. This search is returning me graph over time for 10 ms time frame.
Let me add few more events.
[03/03/2017][07:51:25.038][31255][40510594][faasfa-214d1-ff23r-3f3r43r2-dqwr23][number::invoke][number.java][Leaving the nunber.]
[03/03/2017][07:51:25.49][31255][40510594][faasfa-214d1-ff23r-3f3r43r2-dqwr23][number::invoke][number.java][Leaving the nunber.]
[03/03/2017][07:51:25.050][31255][40510594][faasfa-214d1-ff23r-3f3r43r2-dqwr23][number::invoke][number.java][Leaving the nunber.]
I am using earliest=-30m in base search, So I was taking events from only last 30 minutes. In below event the transaction faasfa-214d1-ff23r-3f3r43r2-dqwr23 have earliest 07:51:25.038 (_time) and latest 07:51:25.050(_time)
The difference bettween earliest and latest is 50-38 which is 12 milliseconds so this transaction should fall under 0-10 ms.
is it not falling under that bucket? is your PreciseTime
the same as _time
? what results are you seeing?
I was getting no results found. Yes my precise time is same as _time. When I use time chart _ time is represented as 2017-03-03 12:00:00 whereas my precise time is in different format 07:51:25.050
isn't the range from this 07:51:25.038-07:51:25.49 which would fall under the 40-50 ms?
i just created a dataset for these three events and this is what i did and got:
|stats min(_time) as earliest max(_time) as latest by transactionid|eval duration=latest-earliest| bucket duration span=10ms |chart count by duration
duration count
0.450 1
Hi Cmerriman,
This search worked for me. Thank you.