I have a lot of SOAP req/resp pairs and I was able to match them up and find the time between them (duration). I then input this searchand was returned back all of the unique identifiers (GUIDs) with a duration longer than 8 seconds. Now I want to chart this using Timechart, every time I try to do this, nothing will come up, even though a list of 100+ GUID's was present when I didn't have the Timechart command in there.
My original search which returned back rows of expected data in the 'Statistics' tab:
index=uv GUID="*" NOT "ERROR" | transaction GUID startswith="CalculateTaxRequest" endswith="CalculatetaxResponse"| TOP GUID by duration | WHERE duration>8
My unsuccessful Timechart search which returns back NO data:
index=uv GUID="*" NOT "ERROR" | transaction GUID startswith="CalculateTaxRequest" endswith="CalculatetaxResponse"| TOP GUID by duration | timechart list(duration) | WHERE duration>8
I was finally able to get it with this query. i was unaware that Splunk has a built in Visualization editor which helped a lot
index=uv GUID1="*" NOT "ERROR" | transaction GUID1 startswith="CalculateTaxRequest" endswith="CalculatetaxResponse" | where duration>8| timechart count by duration
I was finally able to get it with this query. i was unaware that Splunk has a built in Visualization editor which helped a lot
index=uv GUID1="*" NOT "ERROR" | transaction GUID1 startswith="CalculateTaxRequest" endswith="CalculatetaxResponse" | where duration>8| timechart count by duration
Hi skoelpin, have you tried to use the where
clause directly with the timechart
command like written in the docs http://docs.splunk.com/Documentation/Splunk/6.2.1/SearchReference/Timechart#Using_where_clauses ? Also, be aware that using the list()
function creates a multi value field, whereas in the first search you're using single value fields for duration.
Also I think you may be correct with the list() function.. maybe I should be using a different function, any suggestions?
what is your intention using list
maybe it helps if you tell us what you expect as result
The unique identifier (GUID) is tied to BOTH the request and response. So when a SOAP request is sent, it has a timestamp and on the response it also has a timestamp. The Transaction command groups these together so I have an output in the 'Statistics' tab which shows the GUID and total duration (time for each SOAP request to respond).
Duration GUID
9.3387 dsf234-sdf-234-dsf-344
11.234 jhhbj-767-sdfds-sdfds
10.333 dfds3-h33-hbh3-23jjkk
So I currently have this output with my first query, but now I want to make a timechart visually showing the duration. I've tried using count(duration), list(duration), and values(duration) with no luck
Okay, how about a different approach? This is un-tested, but why not try this:
index=uv GUID="*" NOT "ERROR" | stats earliest(_time) AS earliest_time latest(_time) AS latest_time by GUID, _time | eval Duration=latest_time-earliest_time | where Duration > 8 | stats count by GUID, Duration, _time TOP GUID | fields - count
I see what you did there but unfortunately did not work, I was finally able to get it and will post my solution below. Thanks for your help and time!
I appreciate it
Have you tried this:
index=uv GUID="*" NOT "ERROR" | transaction GUID startswith="CalculateTaxRequest" endswith="CalculatetaxResponse"| table GUID duration | WHERE duration > 8 | sort duration desc
Also, switch the tab to visualization and select "column" or "line"
(I know. Kind of tacky.)
This kind of worked but not exactly what I was looking for. Thanks for taking the time to help though!
Thanks for the response! I took out there where clause and still have the same problem. My original search (the first one listed in my question) will return back exactly what I'm looking for. But when I add timechart, nothing will appear so I'm not sure if it has anything to do with WHERE. Any other suggestions?