how to get a time chart for the queuedepth for a g...

dhirajsir · ‎08-09-2019

I need to get a timechart for the data define by the search query

Data is in this format :
'10'
'ENTER'
tranId='10'
eventEndTs='Fri Aug 09 00:52:53 PDT 2019'}
queueName='FRAUD'
eventStartTs='Fri Aug 09 00:52:53 PDT 2019'
tranStatus='ENTER'

tried the following but not getting the results
sourcetype=bsgmc tranStatus="'ENTER'" | stats count as incomingcount by queueName | table queueName incomingcount | appendcols [search sourcetype=bsgmc tranStatus="'EXIT'" | stats count as outgoingcount by queueName | table outgoingcount] | eval QueueDepth=incomingcount-outgoingcount | table queueName QueueDepth | timechart count(QueueDepth) by queueName

adonio · ‎08-09-2019

maybe try something like that:

  index=<YOUR_INDEX> sourcetype=bsgmc (tranStatus="'ENTER'" OR tranStatus="EXIT") | timechart count(eval(tranStatus="ENTER")) as incomingcount  timechart count(eval(tranStatus="EXIT")) as outgoingcount by queueName  usenull=false

hope it helps

dhirajsir · ‎08-14-2019

No luck with query
Error in 'timechart' command: The specifier 'timechart' is invalid. It must be in form (). For example: max(size).

how to get a time chart for the queuedepth for a given queue name

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!