Splunk Search

How to edit my timechart search to find the daily count of service calls over the last month?

jbrenner
Path Finder

I have the following Splunk search, which returns a count of service calls taking over 20,000 milliseconds, and I want to break this number down into a daily count over the last month:

index=xyz  | rex field=_raw "Response Time : (?.\d+) for UpdateSession call." | stats count by MILLIS | search MILLIS > 20000 | stats sum(count)

I have tried to accomplish this with the "timechart" command, but so far I have been unsuccessful. Can someone please tell me how to do this?

Thanks!
Jonathan

0 Karma
1 Solution

DalJeanis
SplunkTrust
SplunkTrust

Your initial search is doing unnecessary work. It could be this simple...

index=xyz 
| rex field=_raw "Response Time : (?<MILLIS>.\d+) for UpdateSession call." 
| search MILLIS > 20000 
| stats count as CountOver20K

Here's how to add the date...

index=xyz 
| rex field=_raw "Response Time : (?<MILLIS>.\d+) for UpdateSession call." 
| search MILLIS > 20000 
| bin _time span=1d  
| stats count as CountOver20K by _time

or the last two could be combined this way

index=xyz 
| rex field=_raw "Response Time : (?<MILLIS>.\d+) for UpdateSession call." 
| search MILLIS > 20000 
| timechart span=1d count as CountOver20K

By the way, be sure to mark your code as code so the interface doesn't strip out the html-like parts in angle brackets. <MILLIS>

View solution in original post

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Try like this

index=xyz earliest=-1mon@mon latest=@mon | rex field=_raw "Response Time : (?<MILLIS>.\d+) for UpdateSession call." | search MILLIS > 20000 | timechart span=1d count

Please note that I've added earliest and latest value in base search to show results for last month (jun 2017 considering today is Jul 5th). You can update earliest/latest per your need or remove and use timerange picker to specify time-range.

0 Karma

sbbadri
Motivator

try below

| rex field=_raw "Response Time : (?&ltMILLIS&gt\d+) for UpdateSession call." | search MILLIS > 2000 | timechart span=1h count by MILLIS

I hope this will help you

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

@sbbadri - The last command will chart the count broken out by each particular value of MILLIS, which since they are the duration of the response time, are likely to all be unique values, just a few random dots on the timechart. However, that could be a useful strategy if you binned the MILLIS, for example in 5000 ms chunks, which might give you an idea just exactly how long the delays were in any given time period.

DalJeanis
SplunkTrust
SplunkTrust

Your initial search is doing unnecessary work. It could be this simple...

index=xyz 
| rex field=_raw "Response Time : (?<MILLIS>.\d+) for UpdateSession call." 
| search MILLIS > 20000 
| stats count as CountOver20K

Here's how to add the date...

index=xyz 
| rex field=_raw "Response Time : (?<MILLIS>.\d+) for UpdateSession call." 
| search MILLIS > 20000 
| bin _time span=1d  
| stats count as CountOver20K by _time

or the last two could be combined this way

index=xyz 
| rex field=_raw "Response Time : (?<MILLIS>.\d+) for UpdateSession call." 
| search MILLIS > 20000 
| timechart span=1d count as CountOver20K

By the way, be sure to mark your code as code so the interface doesn't strip out the html-like parts in angle brackets. <MILLIS>

0 Karma

jbrenner
Path Finder

This is fantastic! Thank you!

DalJeanis
SplunkTrust
SplunkTrust

The suggestion by sbbadri reminded me that you might like to actually know how long the responses took, so this groups them by 5000 ms increments...

index=xyz 
| rex field=_raw "Response Time : (?<MILLIS>.\d+) for UpdateSession call." 
| bin _time span=1d
| eval MsRange = 5000*if(MILLIS<20000,0,floor(MILLIS/5000))
| where MsRange > 0 
| timechart span=1d count as CountInRange by MsRange 

You could leave in the 0-19999 ms range and color them appropriately to see what's happening at all levels.

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

Response time is likely to be dependent on volume, so you might also want to look at it this way...

index=xyz 
| rex field=_raw "Response Time : (?<MILLIS>.\d+) for UpdateSession call." 
| bin _time span=1d
| eval Over20K=if(MILLIS>20000,1,0)
| timechart span=1d sum(Over20K) as CountOver20K count as CountTotal

...or this way ...

index=xyz 
| rex field=_raw "Response Time : (?<MILLIS>.\d+) for UpdateSession call." 
| bin _time span=5m
| eval Over20K=if(MILLIS>20000,1,0)
| stats sum(Over20K) as CountOver20K count as CountTotal by _time
| eval PctOver20K = round(100*CountOver20K/CountTotal,2)
| timechart avg(PctOver20K) as AvgPct max(PctOver20K) as MaxPct span=1d 
0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...