I have a set of data with timestamps: eg, 12.50pm, 1pm, 1.30pm, 1.50pm, 2pm, 2.20pm, 3pm, 3.30pm
At the start of the code, I have split them into timespan: ie
bucket _time span = 1h
I have been trying to understand this expression so that I can determine which sign to use in the where clause later, :
relative_time(max(_time),"#h")
What do they mean and how do they differ?
|where _time < relative_time(max(_time),"#h")
|where _time = relative_time(max(_time),"#h")
|where _time > relative_time(max(_time),"#h")
Let's pull the expression apart.
max(_time) is the same as _time because the where command only looks at a single event, which has only one _time field.
relative_time(max(_time),"#h") takes the epoch timestamp in the first argument and "rounds off" based on the second argument. In this case, _time is rounded off to the start of the current hour.
The where command selects the current event if it meets the specified criteria (IOW, the expression is true); otherwise, the event is discarded.
|where _time < relative_time(max(_time),"#h") - chooses the event if it occurred before the start of the hour
|where _time = relative_time(max(_time),"#h") - chooses the event if it occurred at the top of the hour
|where _time > relative_time(max(_time),"#h") - chooses the event if it occurred after the start of the hour
Related
I have such events:
something
<operation>abc</operation>
<timeSent>2022-01-22T02:55:58.002Z</timeSent>
<operation>def</operation>
<timeSent>2022-01-21T13:09:18.333Z</timeSent>
What I now want to get is the timestamp of every event and the last timestamp (i. e. the maximum timestamp of the timeSent-timestamps).
I tried this:
rex field=_raw "timeSent>(?<timeSent>[T:0-9-.]+)Z<"
| stats max(_time) as Responsetime, min(timeSent) as Requesttime
But this only gives me the maximum timestamp of all of the observed timestamps and the minimum of all timeSent-timestamps. Moreover, I have the problem that I have on the one hand a different format for the timestamps and also different timezones. How could I solve this in order to compute the difference of Responsetime and Requesttime?
Timestamps have to be converted into epoch (integer) form before they can be compared. Do that with the strptime() function.
rex field=_raw "timeSent>(?<timeSent>[T:0-9-.]+)Z<"
| eval timeSent = strptime(timeSent, "%Y-%m-%dT%H:%M:%S.%3N%Z")
| stats max(_time) as Responsetime, min(timeSent) as Requesttime
I have splunk json log entries that have epochSecond , nanoOfSecond, eventid and message fields.
I want to find average , 95perc etc. of time taken in milliseconds for an event(which is defined by a unique eventid across all log entries) which is the difference between the time of first log entry and last log entry of an event.
How do I go about doing this in Splunk? I can't even get duration of each event in milliseconds to start with
stats range(_time) as duration by eventid -> seems to give time ins seconds, not millisec
stats range(timestamp) as duration by eventid -> Gives nothing
stats range(epochSecond * 1000000000 + nanoOfSecond) as duration by eventid -> gives syntax error
In Splunk, _time is a seconds counter so stats range(_time) will be a number of seconds.
If the timestamp field is something like "2020-11-11 09:27" then stats range(timestamp) makes no sense since there's no such thing as a range of strings (at least not in Splunk).
Try stats range(eval(epochSecond*1000000000 + nanoOfSecond)).
I have a search string like below:
index=qrp STAGE IN (ORDER_EVENT)
| bucket _time span=1h
| timechart useother=f span=1h sum(TRADES) as "TradeCount" by ODS_SRC_SYSTEM_CODE
| fillnull value=0
And this is currently giving me aggregates of trades for multiple source systems from the stage table Trade event in a tabular format for every hour of the day.
I need to search exactly for the time frame 8am every day, whether the value of sun of trade for all source systems in the table is equal to zero. How to add the condition to check the column value is Zero or not?
Your help is much appreciated.
You can use the where command to test the value of a field.
... | where TradeCount == 0
The use-case I have is to provide the count of a certain error (searched by a certain pattern) by day and provide a percentage of such 'errored' requests against the total number of requests (searched without the error pattern) handled every day. Unable to form the appropriate query for it. The base queries are -
Get total counts for each day:
index=my_index | bucket _time span=day | stats count by _time
Get just errors for each day:
index=my_index "Error-Search-Pattern" | bucket _time span=day | stats count by _time
How do I combine the two counts to show up side-by-side and show the error:total percentage?
Thanks in advance.
Try this
index=my_index
| eval error=if(match(_raw,".*Error-Search-Pattern.*"), 1, 0)
| bucket _time span=1d
| stats count as total, count(eval(error==1)) as errored by _time
One of the things I'm using Splunk to monitor is electricity usage, one of the fields indexed is the accumulative Kw value for the day, how can I get the last value for the day for a given timespan? So output the total Kw for each day for a month - I've tried using
host=Electricity earliest=-4w#w1 latest=+w#w1 | timechart last(live_day_kw) as Kw
but for the data I have it seems to be adding each day together so its increasing day on day and not daily values, so for example day1 is 7kw and day2 is 14kw and day3 is 21kw - I'd expect it to be ~7kw a day. Also just checked and the live_day_kw value does reset to zero at midnight
Not quite sure of what you're looking for, but maybe this will help.
host=Electricity earliest=-4w#w1 latest=+w#w1 | timechart span=1d last(live_day_kw) as Kw
For the benefit of those looking for the same solution I managed to solve it thus:
host=Electricity earliest=-4w#w1 | timechart latest(live_day_kw) as "Kw_Day" | eval Kw_Day = round(Kw_Day,2)
Also needed the search set to 'month to date' and it get exactly what I needed.