Question
Hey there,
I'm a beginner with Splunk and have questions about timechart and _time variable. Here is my situation:
2013-01-29T09:12:27.010175+00:00 172.21.1.1 local5.notice<173> 16099: GW: Jan 29 09:12:26.963: %X25-5-CALL_RECORD: Start=09:12:25.887 UTC Tue Jan 29 2013, End=09:12:26.963 UTC Tue Jan 29 2013, Rotary-number=1, Clear-cause=0
I've got a log file with an indexed _time value which I don't care.
I need to count the number of concurrent sessions per second, with the following constraints :
There is a single entry in my log per session, containing Start time and End time fields. Consequently, transaction keyword seems to be useless.
The timechart must be drawed per rotary number
I must not use log entry index time which is NOT correct, and use Start/End fields instead.
My tests
For testing purposes I managed to convert times to epoch format, and compute the duration:
...
| eval tstamp="%T.%3Q %Z %a %b %d %Y"
| eval etime=strptime(End,tstamp)
| eval stime=strptime(Start,tstamp)
| eval duration=etime-stime
Concurrency with my duration appears not to be working because it still uses log time.
I tried to use the keyword transaction with startswith=stime endswith=etime without results, and with TransacID as Session identifier but I think it is useless
...
| rex field=_raw ".>\s+(?<TransacID>\d+):."
Finaly my complete search:
source="log" %X25-5-CALL_RECORD
| rex field=_raw ".>\s+(?<Transacid>\d+):."
| eval tstamp="%T.%3Q %Z %a %b %d %Y"
| eval etime=strptime(End,tstamp)
| eval stime=strptime(Start,tstamp)
| eval _time=stime
| timechart span=1s count(eval(stime<=(_time) AND (_time)<=etime)) as InTimeRange by Rotary_number
The diffulty is that I need to get rid of the indexed log time to use concurrency or timechart . that's why I used
| eval _time=stime .
I actually want to use timechart's abscissa and compare it each second...
I first though it was working but values are not correct, there should be much more concurrent sessions. This may be a dimension confusion between "tables" of data, and variable names that identify a single value in a single line.
Can someone help me with this case?
Thanks by advance
... View more