- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- timechart with range (_time) not working
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have created two event types from logs to capture messaging events received and processed, having same contextId; from which I am trying to chart the duration of time taken to process an message by contextId. But the time is in milliseconds which does not work with timechart and it displays zero.
I tried the following
1. eventtype="Message Received" OR eventtype="Message processed" | timechart span=30mins range(_time) by contextId WHERE max in top10
2. eventtype="Message Received" OR eventtype="Message processed" | transaction range(_time) as duration by contextId | chart range(_time) by contextId
3. eventtype="Message Received" OR eventtype="Message processed" | timechart span=30mins range(_time) by contextId WHERE max in top10 | convert ctime(_time)
what is working,
- eventtype="Message Received" OR eventtype="Message processed" | stats range(_time) as durationms by contextId | eval duration = durationms/1000 - But not want eval column and also want to bucket in every hour
But actually requirement is timechart top 50 message processing events (contextIds) which has taken more than 1 sec in milliseconds in every hour.
My observation is, stats and transactions do not work in range(evaled fields). Neither bucket produces correct result. If I bucket range function for 30 mins it results the _time as 1800 secs
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi@hariatsplunk,
You can try the query below:
eventtype="Message Received" OR eventtype="Message processed" | convert timeformat="%m/%d/%Y,%H:%M:%S.%3N" ctime(_time) AS c_time | eval time=strptime(c_time, "%m/%d/%Y,%H:%M:%S.%3N") | stats range(time) as time by contextid| eval time=round(time*1000) | where time>1000 | sort - time limit=50
Let me know if this helps!!!!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi@hariatsplunk,
You can try the query below:
eventtype="Message Received" OR eventtype="Message processed" | convert timeformat="%m/%d/%Y,%H:%M:%S.%3N" ctime(_time) AS c_time | eval time=strptime(c_time, "%m/%d/%Y,%H:%M:%S.%3N") | stats range(time) as time by contextid| eval time=round(time*1000) | where time>1000 | sort - time limit=50
Let me know if this helps!!!!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks. It works perfectly. Additionally can this be bucketed for every hour? I ask this cause a range can extend over another bucket in which case how will the contextId placed ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
You can try dis:
eventtype="Message Received" OR eventtype="Message processed" | convert timeformat="%m/%d/%Y,%H:%M:%S.%3N" ctime(_time) AS c_time | eval time=strptime(c_time, "%m/%d/%Y,%H:%M:%S.%3N") |bin _time span=60m| stats range(time) as time by contextid| eval time=round(time*1000) | where time>1000 | sort - time limit=50
Hope this helps!!
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
