Plotting duration on chart

ChhayaV · ‎09-16-2013

hi,

I want to show time taken by a process to complete in seconds on time chart.

sample log entries

4432 [e0] INFO 2013-04-18 05:58:46.764 TM1.Process Process "TI_1" executed by user "Admin"

4432 [e0] INFO 2013-04-18 05:58:55.796 TM1.Process Process "TI_1": finished executing normally, elapsed time 9.02 seconds

4432 [e0] INFO 2013-04-18 06:01:45.400 TM1.Process Process "TI_1" executed by user "Admin"

4432 [e0] INFO 2013-04-18 06:01:55.243 TM1.Process Process "TI_1": finished executing normally, elapsed time 9.84 seconds

4432 [e0] INFO 2013-04-18 06:02:26.038 TM1.Process Process "TI_1" executed by user "Admin"

4432 [e0] INFO 2013-04-18 06:02:28.627 TM1.Process Process "TI_1": finished executing normally, elapsed time 2.59 seconds

Example values of duration from above log entries are 9.02 seconds and 9.84 seconds etc. We want plot these values on chart

Thanks

zeroactive · ‎09-16-2013

Two ways to do this:

Easiest way would be to just search for lines that contain the "elapsed time" value in it and chart those values. You can extract the elapsed time with a regular expression:

"finished executing normally" | rex field=_raw "elapsed time (?<myduration>.*\s)seconds " | chart avg(myduration)

If you have multiple process names, you could extract the process name into a field as well and add that into your chart:

"finished executing normally" | rex field=_raw "Process (?<processName>\w+)" | rex field=_raw "elapsed time (?.*\s)seconds " | chart avg(myDuration) by processName

Of course, use "timechart" instead of "chart" if you want to see the distribution of durations over time. Also. "timechart" does not require the use of a statistical function, but as Ayn points out if you have multiple events occuring during a given time slice on that you will still need to use a stat function.

Probably your best bet on this type of data is to use "table" instead of "chart" or "timechart".

ChhayaV · ‎09-18-2013

ok so there is no way to plot a chart in a way i want?

Ayn · ‎09-17-2013

I insist on that you do need it. Otherwise timechart would have no idea of how to handle multiple values in a timeslice.

ChhayaV · ‎09-17-2013

i want to plot time taken by a particular process to complete on chart.if elapsed time is 0.03 seconds this means process took 3 seconds to complete that i want to show with process name.And is it necessary to use function with time chart can i not use something like timechart myduration by Processname?

ChhayaV · ‎09-17-2013

hi
How can i show process names also | table table _time myduration working fine but i need to show process name also

ChhayaV · ‎09-17-2013

hi i am not able to match the process which are having name as "}Drill_Sales_Drill"

I matched all the process which are like "TI_1"

any suggestion?

Ayn · ‎09-16-2013

No, chart needs a statistical function as an argument so you can't just give it a field straight away like that. Also I imagine the poster wants to plot these over time. You could achieve this by skipping the chart commands and using | table _time myduration at the end.

Plotting duration on chart

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...