Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Search
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How can I make my table results in 3s time interva...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
moizmmz
Path Finder
12-06-2018
03:50 PM
Query I am running:
index="dcg-video-eng-live-services-stage" | spath "message.req.originalUrl" | search "message.req.originalUrl"!="/health-check"| spath severity | search severity!=warn|search message.extraLogInfo./api2/asset/get.assets{}.desc!=null()
|table _time message.extraLogInfo./api2/asset/get.assets{}.desc message.extraLogInfo./api2/asset/get.assets{}.duration
| rename message.extraLogInfo./api2/asset/get.assets{}.desc as Channel, message.extraLogInfo./api2/asset/get.assets{}.duration as Duration
|sort -_time
This results in the following table:
https://drive.google.com/open?id=1PaUuxMNy29QYtjzKbc2i0ulGybXXSnL6 (also shown in image)
As shown in the image, the results have varying time intervals.
I want to get the results in the table to be in time intervals of 3s.
How do I go about doing it?
Thanks!
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sdchakraborty
Contributor
12-06-2018
10:19 PM
Hi,
Can you try the below search,
index="dcg-video-eng-live-services-stage" | spath "message.req.originalUrl" | search "message.req.originalUrl"!="/health-check"| spath severity | search severity!=warn|search message.extraLogInfo./api2/asset/get.assets{}.desc!=null()
|table _time message.extraLogInfo./api2/asset/get.assets{}.desc message.extraLogInfo./api2/asset/get.assets{}.duration
| rename message.extraLogInfo./api2/asset/get.assets{}.desc as Channel, message.extraLogInfo./api2/asset/get.assets{}.duration as Duration
|sort -_time
| mvexpand Channel
| mvexpand Duration
| bin span=3s _time
| stats values(Channel) as Channel, values(Duration) as Duration by _time
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sdchakraborty
Contributor
12-06-2018
10:19 PM
Hi,
Can you try the below search,
index="dcg-video-eng-live-services-stage" | spath "message.req.originalUrl" | search "message.req.originalUrl"!="/health-check"| spath severity | search severity!=warn|search message.extraLogInfo./api2/asset/get.assets{}.desc!=null()
|table _time message.extraLogInfo./api2/asset/get.assets{}.desc message.extraLogInfo./api2/asset/get.assets{}.duration
| rename message.extraLogInfo./api2/asset/get.assets{}.desc as Channel, message.extraLogInfo./api2/asset/get.assets{}.duration as Duration
|sort -_time
| mvexpand Channel
| mvexpand Duration
| bin span=3s _time
| stats values(Channel) as Channel, values(Duration) as Duration by _time
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
moizmmz
Path Finder
12-07-2018
09:22 AM
It is giving me the 3s interval. Thanks 🙂
But its also giving me other data I don't want. Sorta combining two mv values
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
moizmmz
Path Finder
12-07-2018
09:27 AM
But on explicitly eliminating that data using '!=', I got what I wanted 🙂
Thank you!!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sdchakraborty
Contributor
12-07-2018
09:26 AM
Cool.please accept it as answer if it is resolved your issue.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
moizmmz
Path Finder
12-07-2018
09:36 AM
Hey..I'm seeing a problem, the time stamp is repeating in some cases
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
moizmmz
Path Finder
12-07-2018
09:51 AM
Never mind, used dedup 😛
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
nagarjuna280
Communicator
12-06-2018
04:42 PM
try adding at the end
| bin _time span=3s | stats values(channel), values(duaration)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
moizmmz
Path Finder
12-06-2018
05:07 PM
Nope.
The results are mv and without a timestamp.
Get Updates on the Splunk Community!
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
The Transformative Power of AI and ML in Enhancing Observability
In the realm of IT operations, the ...
.conf24 | Registration Open!
Hello, hello! I come bearing good news: Registration for .conf24 is now open!
conf is Splunk’s rad annual ...
ICYMI - Check out the latest releases of Splunk Edge Processor
Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.
HEC Receiver authorization ...
