Splunk Search

Help getting multiple columns from a chart

p_b
New Member

I've spent the last week trying to figure out the answer to this myself in the documentation and in the questions. I'm sure this is easy if
you've been using Splunk for any length of time, but I'm very new. Also, I've submitted a project request for the Splunk team to help me, but they won't even touch it until it goes through an approval process.

Here's my question: I have the following Splunk query that works:

index=MyWebServer ("WebService_01" AND "input") OR ("WS Total time") 
| transaction TID host startswith="input" endswith="WS Total time" 
| timechart span=1m count, avg(WSTotalTimeValue), max(WSTotalTimeValue), perc95(WSTotalTimeValue)

I need to add 2 more columns and add more web service names. Consider the following to be psuedocode:

index=MyWebServer (("WebService_01" OR "WebService_02" OR "WebService_03" OR "WebService_04") AND "input") OR ("WS Total time") 
| transaction TID host startswith="input" endswith="WS Total time" 
| timechart span=1m username, webservicename, count, avg(WSTotalTimeValue), max(WSTotalTimeValue), perc95(WSTotalTimeValue)

I've tried a variety of stats, bin, chart, etc. commands to try to get it to work, but the syntax is just to new to me to get it to work.

Any advice would be appreciated.

Thanks.

0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

The timechart command gives you output in x-y series format with x as time and y as one single field (there can be multiple aggegated values). See the timechart documentation for details/examples.

Assuming you're extracting field username and webservice name already, try something like this.

index=MyWebServer (("WebService_01" OR "WebService_02" OR "WebService_03" OR "WebService_04") AND "input") OR ("WS Total time") 
| rename COMMENT as "If field username and webservicename is not exracted, add extraction here"
 | transaction TID host webservicename username  startswith="input" endswith="WS Total time" 
 | bucket span=1m _time
 | stats  count, avg(WSTotalTimeValue) as AvgWSTotalTime, max(WSTotalTimeValue) as MaxWSTotalTime, perc95(WSTotalTimeValue) as P95WSTotalTime by  _time username, webservicename

OR

index=MyWebServer (("WebService_01" OR "WebService_02" OR "WebService_03" OR "WebService_04") AND "input") OR ("WS Total time") 
| rename COMMENT as "If field username and webservicename is not exracted, add extraction here"
 | transaction TID host webservicename username  startswith="input" endswith="WS Total time" 
| eval User_WS=username." - ". webservicename
| timechart span=1m  count, avg(WSTotalTimeValue), max(WSTotalTimeValue), perc95(WSTotalTimeValue) by User_WS

View solution in original post

somesoni2
SplunkTrust
SplunkTrust

The timechart command gives you output in x-y series format with x as time and y as one single field (there can be multiple aggegated values). See the timechart documentation for details/examples.

Assuming you're extracting field username and webservice name already, try something like this.

index=MyWebServer (("WebService_01" OR "WebService_02" OR "WebService_03" OR "WebService_04") AND "input") OR ("WS Total time") 
| rename COMMENT as "If field username and webservicename is not exracted, add extraction here"
 | transaction TID host webservicename username  startswith="input" endswith="WS Total time" 
 | bucket span=1m _time
 | stats  count, avg(WSTotalTimeValue) as AvgWSTotalTime, max(WSTotalTimeValue) as MaxWSTotalTime, perc95(WSTotalTimeValue) as P95WSTotalTime by  _time username, webservicename

OR

index=MyWebServer (("WebService_01" OR "WebService_02" OR "WebService_03" OR "WebService_04") AND "input") OR ("WS Total time") 
| rename COMMENT as "If field username and webservicename is not exracted, add extraction here"
 | transaction TID host webservicename username  startswith="input" endswith="WS Total time" 
| eval User_WS=username." - ". webservicename
| timechart span=1m  count, avg(WSTotalTimeValue), max(WSTotalTimeValue), perc95(WSTotalTimeValue) by User_WS

p_b
New Member

I probably spent 15 or 20 hours on this and you solved it in 10 minutes.

Fantastic. Thank you very much.

This was perfect.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...