I have created two event types from logs to capture messaging events received and processed, having same contextId; from which I am trying to chart the duration of time taken to process an message by contextId. But the time is in milliseconds which does not work with timechart and it displays zero.
I tried the following
1. eventtype="Message Received" OR eventtype="Message processed" | timechart span=30mins range(_time) by contextId WHERE max in top10
2. eventtype="Message Received" OR eventtype="Message processed" | transaction range(_time) as duration by contextId | chart range(_time) by contextId
3. eventtype="Message Received" OR eventtype="Message processed" | timechart span=30mins range(_time) by contextId WHERE max in top10 | convert ctime(_time)
what is working,
But actually requirement is timechart top 50 message processing events (contextIds) which has taken more than 1 sec in milliseconds in every hour.
My observation is, stats and transactions do not work in range(evaled fields). Neither bucket produces correct result. If I bucket range function for 30 mins it results the _time as 1800 secs
Hi@hariatsplunk,
You can try the query below:
eventtype="Message Received" OR eventtype="Message processed" | convert timeformat="%m/%d/%Y,%H:%M:%S.%3N" ctime(_time) AS c_time | eval time=strptime(c_time, "%m/%d/%Y,%H:%M:%S.%3N") | stats range(time) as time by contextid| eval time=round(time*1000) | where time>1000 | sort - time limit=50
Let me know if this helps!!!!
Hi@hariatsplunk,
You can try the query below:
eventtype="Message Received" OR eventtype="Message processed" | convert timeformat="%m/%d/%Y,%H:%M:%S.%3N" ctime(_time) AS c_time | eval time=strptime(c_time, "%m/%d/%Y,%H:%M:%S.%3N") | stats range(time) as time by contextid| eval time=round(time*1000) | where time>1000 | sort - time limit=50
Let me know if this helps!!!!
Thanks. It works perfectly. Additionally can this be bucketed for every hour? I ask this cause a range can extend over another bucket in which case how will the contextId placed ?
Hi,
You can try dis:
eventtype="Message Received" OR eventtype="Message processed" | convert timeformat="%m/%d/%Y,%H:%M:%S.%3N" ctime(_time) AS c_time | eval time=strptime(c_time, "%m/%d/%Y,%H:%M:%S.%3N") |bin _time span=60m| stats range(time) as time by contextid| eval time=round(time*1000) | where time>1000 | sort - time limit=50
Hope this helps!!