I'm trying to create a timechart for timestamp of each event and TotalTimeTaken value in splunk.
My query:
index=XYZ Total Time Taken StudentController
| rex "Total Time Taken: (?<TotalTimeTaken>[^,}]+)"
| timechart TotalTimeTaken limit=5
Expected data table:
| _time | TotalTimeTaken |
|---|---|
| 2024-04-03T06:27:07.371-04:00 | 52 ms |
| 2024-04-03T06:27:07.328-04:00 | 23 ms |
| 2024-04-03T06:27:07.306-04:00 | 24 ms |
| 2024-04-03T06:27:07.293-04:00 | 74 ms |
| 2024-04-03T06:27:07.283-04:00 | 22 ms |
But the timechart is not coming as expected. Need the exact values of TotalTimeTaken instead of count.
Is there any way to build the chart from the existing dataset? I have created the dataset as shown in the above table. How to use this table dataset and create a line chart out of it?
I see two problems here. The first is the timechart command requires numeric data, but the TotalTimeTaken field is a string because of the "ms". That's easy to handle. The second problem is the timechart command has a minimum resolution of 1 second so it is unable to graph 5 values in the same second. Handle that by using an aggregation function (max, min, avg, etc.).
Here's a run-anywhere example using the sample data.
| makeresults
| eval _raw="_time TotalTimeTaken
2024-04-03T06:27:07.371-04:00 52 ms
2024-04-03T06:27:07.328-04:00 23 ms
2024-04-03T06:27:07.306-04:00 24 ms
2024-04-03T06:27:07.293-04:00 74 ms
2024-04-03T06:27:07.283-04:00 22 ms"
| multikv forceheader=1
| eval _time=strptime(time_,"%Y-%m-%dT%H:%M:%S.%3N%:z")
``` Above sets up test data. Skip IRL ```
``` Strip out the unit label ```
| rex field=TotalTimeTaken "(?<TotalTimeTaken>\d+)"
| timechart values(TotalTimeTaken) limit=5