Splunk Search

How to edit my table to plot transactions?

krishnacasso
Path Finder

I was trying to create a table like below.
We have a log with below fields,

[Date][PreciseTime][Pid][Tid][TransactionID][Function][SrcFile][Message]

[03/03/2017][07:51:25.098][31255][40510594][faasfa-214d1-ff23r-3f3r43r2-dqwr23][number::invoke][number.java][Leaving the nunber.]

TransactionID is the unique field here. Need to plat time frame like below 0-10ms, 10 -20 ms, 20-30 ms, ..... and display total count of transactions which fall under that time frame.
In the event example above, lets assume faasfa-214d1-ff23r-3f3r43r2-dqwr23(TransactionID) took 25ms it should fall under 20 -30 ms.

I tried something like this,

base search | bucket _time span=1s | timechart  count by _time

I see we can go only till seconds in span can we go with milli seconds also here and achieve table like below

Transaction Time          Count
10 ms - 20 ms             24
20 ms - 30 ms             95
30 ms - 40 ms             38
40 ms - 50 ms             114
50 ms - 60 ms             1512
60 ms - 70 ms             1075
70 ms - 80 ms             223
80 ms - 90 ms             51
90 ms - 100 ms            32
100 ms - 200 ms           62
200 ms - 300 ms           30
300 ms - 400 ms           23
400 ms - 500 ms           9
500 ms - 600 ms           4
600 ms - 700 ms           9
700 ms - 800 ms           21
800 ms - 900 ms           6
900 ms - 1 sec            3
0 Karma
1 Solution

cmerriman
Super Champion

you should be able to use milliseconds with span=10ms but if you do a bucket/bin, you'll want to use chart, not timechart.

https://docs.splunk.com/Documentation/Splunk/6.5.2/SearchReference/Bin#Span_options

base search | bucket _time span=10ms | chart count by _time

OR

base search  | timechart span=10ms count

View solution in original post

0 Karma

cmerriman
Super Champion

you should be able to use milliseconds with span=10ms but if you do a bucket/bin, you'll want to use chart, not timechart.

https://docs.splunk.com/Documentation/Splunk/6.5.2/SearchReference/Bin#Span_options

base search | bucket _time span=10ms | chart count by _time

OR

base search  | timechart span=10ms count
0 Karma

krishnacasso
Path Finder

Hi cmerriman,
Thank you. This search is returning me graph over time for 10 ms time frame.
Let me add few more events.
[03/03/2017][07:51:25.038][31255][40510594][faasfa-214d1-ff23r-3f3r43r2-dqwr23][number::invoke][number.java][Leaving the nunber.]

[03/03/2017][07:51:25.49][31255][40510594][faasfa-214d1-ff23r-3f3r43r2-dqwr23][number::invoke][number.java][Leaving the nunber.]

[03/03/2017][07:51:25.050][31255][40510594][faasfa-214d1-ff23r-3f3r43r2-dqwr23][number::invoke][number.java][Leaving the nunber.]

I am using earliest=-30m in base search, So I was taking events from only last 30 minutes. In below event the transaction faasfa-214d1-ff23r-3f3r43r2-dqwr23 have earliest 07:51:25.038 (_time) and latest 07:51:25.050(_time)
The difference bettween earliest and latest is 50-38 which is 12 milliseconds so this transaction should fall under 0-10 ms.

0 Karma

cmerriman
Super Champion

is it not falling under that bucket? is your PreciseTime the same as _time? what results are you seeing?

0 Karma

krishnacasso
Path Finder

I was getting no results found. Yes my precise time is same as _time. When I use time chart _ time is represented as 2017-03-03 12:00:00 whereas my precise time is in different format 07:51:25.050

0 Karma

cmerriman
Super Champion

isn't the range from this 07:51:25.038-07:51:25.49 which would fall under the 40-50 ms?

i just created a dataset for these three events and this is what i did and got:

|stats min(_time) as earliest max(_time) as latest by transactionid|eval duration=latest-earliest| bucket duration span=10ms |chart count by duration

duration count
0.450 1

krishnacasso
Path Finder

Hi Cmerriman,
This search worked for me. Thank you.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...