Solved: Re: How to edit my table to plot transactions?

krishnacasso · ‎03-16-2017

I was trying to create a table like below.
We have a log with below fields,

[Date][PreciseTime][Pid][Tid][TransactionID][Function][SrcFile][Message]

[03/03/2017][07:51:25.098][31255][40510594][faasfa-214d1-ff23r-3f3r43r2-dqwr23][number::invoke][number.java][Leaving the nunber.]

TransactionID is the unique field here. Need to plat time frame like below 0-10ms, 10 -20 ms, 20-30 ms, ..... and display total count of transactions which fall under that time frame.
In the event example above, lets assume faasfa-214d1-ff23r-3f3r43r2-dqwr23(TransactionID) took 25ms it should fall under 20 -30 ms.

I tried something like this,

base search | bucket _time span=1s | timechart  count by _time

I see we can go only till seconds in span can we go with milli seconds also here and achieve table like below

Transaction Time          Count
10 ms - 20 ms             24
20 ms - 30 ms             95
30 ms - 40 ms             38
40 ms - 50 ms             114
50 ms - 60 ms             1512
60 ms - 70 ms             1075
70 ms - 80 ms             223
80 ms - 90 ms             51
90 ms - 100 ms            32
100 ms - 200 ms           62
200 ms - 300 ms           30
300 ms - 400 ms           23
400 ms - 500 ms           9
500 ms - 600 ms           4
600 ms - 700 ms           9
700 ms - 800 ms           21
800 ms - 900 ms           6
900 ms - 1 sec            3

cmerriman · ‎03-16-2017

you should be able to use milliseconds with span=10ms but if you do a bucket/bin, you'll want to use chart, not timechart.

https://docs.splunk.com/Documentation/Splunk/6.5.2/SearchReference/Bin#Span_options

base search | bucket _time span=10ms | chart count by _time

OR

base search  | timechart span=10ms count

View solution in original post

cmerriman · ‎03-16-2017

you should be able to use milliseconds with span=10ms but if you do a bucket/bin, you'll want to use chart, not timechart.

https://docs.splunk.com/Documentation/Splunk/6.5.2/SearchReference/Bin#Span_options

base search | bucket _time span=10ms | chart count by _time

OR

base search  | timechart span=10ms count

krishnacasso · ‎03-16-2017

Hi cmerriman,
Thank you. This search is returning me graph over time for 10 ms time frame.
Let me add few more events.
[03/03/2017][07:51:25.038][31255][40510594][faasfa-214d1-ff23r-3f3r43r2-dqwr23][number::invoke][number.java][Leaving the nunber.]

[03/03/2017][07:51:25.49][31255][40510594][faasfa-214d1-ff23r-3f3r43r2-dqwr23][number::invoke][number.java][Leaving the nunber.]

[03/03/2017][07:51:25.050][31255][40510594][faasfa-214d1-ff23r-3f3r43r2-dqwr23][number::invoke][number.java][Leaving the nunber.]

I am using earliest=-30m in base search, So I was taking events from only last 30 minutes. In below event the transaction faasfa-214d1-ff23r-3f3r43r2-dqwr23 have earliest 07:51:25.038 (_time) and latest 07:51:25.050(_time)
The difference bettween earliest and latest is 50-38 which is 12 milliseconds so this transaction should fall under 0-10 ms.

cmerriman · ‎03-16-2017

is it not falling under that bucket? is your PreciseTime the same as _time? what results are you seeing?

krishnacasso · ‎03-17-2017

I was getting no results found. Yes my precise time is same as _time. When I use time chart _ time is represented as 2017-03-03 12:00:00 whereas my precise time is in different format 07:51:25.050

cmerriman · ‎03-17-2017

isn't the range from this 07:51:25.038-07:51:25.49 which would fall under the 40-50 ms?

i just created a dataset for these three events and this is what i did and got:

|stats min(_time) as earliest max(_time) as latest by transactionid|eval duration=latest-earliest| bucket duration span=10ms |chart count by duration

duration count
0.450 1

krishnacasso · ‎03-17-2017

Hi Cmerriman,
This search worked for me. Thank you.

How to edit my table to plot transactions?

Join Us at the Builder Bar at .conf24 – Empowering Innovation and Collaboration

Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users

Everything Community at .conf24!