Refine your search:

milliseconds in _time

0

Splunk is picking up a csv file that looks like this:

SP A,03/27/11 13:10:00,10,4,5,6
SP A,03/27/11 13:20:00,4,4,2,0
SP A,03/27/11 13:30:00,1,1,5,4
...
SP B,03/27/11 13:10:00,15,2,3,6
SP B,03/27/11 13:20:00,1,8,5,0
SP B,03/27/11 13:30:00,2,2,3,4

My assumption was that I would be able to do this:

| stats sum(column3) as total_column3 by _time |timechart avg(total_column3)

and end up with 25,5,3. But splunk is adding milliseconds to _time resulting in unique times/events:

3/27/11 1:10:00.400 PM  SP A,03/27/11 13:10:00,10,4,5,6
...
3/27/11 1:10:00.247 PM  SP B,03/27/11 13:10:00,15,2,3,6

I could use the date stamp column from the csv:

| stats sum(column3) as total_column3 by column2 |chart avg(total_column3) by column2

but I want to be able to use timechart and adjust span so I don't always have to use 10 minute intervals.

Should I be importing the data differently or is there a way around this?

asked 28 Mar '11, 23:21

dinisco's gravatar image

dinisco
338
accept rate: 0%

One Answer:
oldestnewestmost voted
0

I don't know if it's mis-parsing the data and getting milliseconds, but that's a separate issue. You can fix that by providing explicit TIME_FORMAT and TIME_PREFIX to match your data.

As for reporting, however, you should simply be able to do:

| timechart span=1s sum(column3)

or use whatever time span you like.

Also, I'm not sure why you'd need stats first. If this is a simplification, and you do need stats, you can force a span onto the with:

... | bucket span=10m _time | stats sum(column3) as total_colum3 by _time | ...

So whether or not the data has milliseconds, you should be able to adjust for it.

link

answered 29 Mar '11, 00:04

gkanapathy's gravatar image

gkanapathy ♦
32.6k4827
accept rate: 41%

Thanks again, as always. The bucket span option did the trick.

The reason I'm using stats to sum is because I want to sum column3 for SPA and SPB then take an average over time. If I used sum in timechart it would add column3 and the data would be misrepresented whenever timechart span exceeded 10 mins.

(29 Mar '11, 22:12) dinisco
Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×352
×102

Asked: 28 Mar '11, 23:21

Seen: 1,046 times

Last updated: 12 Apr '11, 04:22

Related questions

Extract timestamp in Epoch (milliseconds) to date

_time resolution in Summary Index

Overwrite _time

Time-Date recognize Unix Epoch Time milliseconds

Milliseconds to HH:MM:SS

Did _time format (when displaying it) change?

Overriding _time

How splunk decide date/time in _time field?

Parsing epoch time (tai64n) with milliseconds

Copyright © 2005-2012 Splunk Inc. All rights reserved.