Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can you help me create a graph for average calculation of execution time field?

htomi
New Member
‎03-06-2019 05:38 AM

Hi all,

I would like to create a dashboard displaying average transaction time / day / test type.

Tests are running three times a day and each run contains the three different types of tests: declined, remote and remote_auth.

Each test is repeated 100 times, so you end up with 900 rows of execution times every day.

My issue is that Splunk doesn't seems to be able to calculate the average of execution time (field14) field.
Avg(field14) in timechart returns zero values only. Converting the time to seconds didn't work, but if I run the search with latest(field14) then it returns values:

| fields + Testtype, field14, Date
| timechart latest(field14)  by Testtype

The data source is a simple text file with the execution times displayed line by line and formatted as HH:MM:SS.ssssss

Execution time on the 3/6/2019 12:03:16 PM for the declined API test is: 00:00:00.6265450
Execution time on the 3/6/2019 12:03:16 PM for the declined API test is: 00:00:00.5981781
Execution time on the 3/6/2019 12:03:16 PM for the declined API test is: 00:00:00.6123268
Execution time on the 3/6/2019 12:03:16 PM for the declined API test is: 00:00:00.5854582

Splunk can locate all three fields I'm interested in.
Execution time on the 3/6/2019 12:03:16 PM for the declined API test is: 00:00:00.6265450
Date = 3/6/2019 Testtype = declined field14 = 00:00:00.6265450
Execution time on the 3/6/2019 12:03:16 PM for the declined API test is: 00:00:00.5981781
Date = 3/6/2019 Testtype = declined field14 = 00:00:00.5981781
Execution time on the 3/6/2019 12:03:16 PM for the declined API test is: 00:00:00.6123268
Date = 3/6/2019 Testtype = declined field14 = 00:00:00.6123268

Can someone suggest a way of generating a graph showing the average execution time (field14) by test type and by day?

Thanks

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

renjith_nair
Legend
‎03-06-2019 05:58 AM

@htomi,

avg works on numeric values. So here you might need to convert your field to a numeric (for e.g. sec) and calculate average on that.

For eg: below should give you an avg of response time in seconds over testtypes

| rex field=field14  "(?<hr>\d{2}):(?<mn>\d{2}):(?<ss>\d{2}).(?<ms>\d+)"
| eval responseTime=(hr*3600+mn*60+ss+ms/1000000)
| stats avg(responseTime)  by Testtype,Date

OR

    | rex field=field14  "(?<hr>\d{2}):(?<mn>\d{2}):(?<ss>\d{2}).(?<ms>\d+)"
    | eval responseTime=(hr*3600+mn*60+ss+ms/1000000)
    | chart avg(responseTime)  over Testtype by Date

Note : assuming that you have microsecond precision. If it's not , you need to adjust the calculation at the last bit accordingly.

---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

Reply
Solved! Jump to solution
Solution

renjith_nair
Legend
‎03-06-2019 05:58 AM

@htomi,

avg works on numeric values. So here you might need to convert your field to a numeric (for e.g. sec) and calculate average on that.

For eg: below should give you an avg of response time in seconds over testtypes

| rex field=field14  "(?<hr>\d{2}):(?<mn>\d{2}):(?<ss>\d{2}).(?<ms>\d+)"
| eval responseTime=(hr*3600+mn*60+ss+ms/1000000)
| stats avg(responseTime)  by Testtype,Date

OR

    | rex field=field14  "(?<hr>\d{2}):(?<mn>\d{2}):(?<ss>\d{2}).(?<ms>\d+)"
    | eval responseTime=(hr*3600+mn*60+ss+ms/1000000)
    | chart avg(responseTime)  over Testtype by Date

Note : assuming that you have microsecond precision. If it's not , you need to adjust the calculation at the last bit accordingly.

---
What goes around comes around. If it helps, hit it with Karma 🙂
Reply
Solved! Jump to solution

htomi
New Member
‎03-07-2019 02:00 AM

The second option didn't but the first one did work: I adjusted the decimal point and removed the hours and minutes which aren't used. Wish I would've known that I should be using regex before all that attempt to convert it to seconds.
This is what it looks like and works as I wanted to

|rex field=field14  "(\d{2}):(\d{2}):(?<ss>\d{2}).(?<ms>\d+)"  
| eval responseTime=(ss+ms/10000000)  
| timechart  span=1d avg(responseTime) by Testtype

Thanks you @renjith.nair !

0 Karma
Reply
Solved! Jump to solution

renjith_nair
Legend
‎03-07-2019 05:12 AM

If you dont need the hour , you could use convert mstime(time) AS ms_time also .

See if this does work for you : https://docs.splunk.com/Documentation/Splunk/7.2.4/SearchReference/Convert#2._Convert_a_time_in_MM:S...

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...