timechart

It's a pretty popular search command and it is used in all sorts of situations. Below are some really cool searches that use timechart along with other search commands.

Extract SQL Insert Params

sourcetype=stream:mysql* query="insert into*" | rex "insert into \S* \((?<aaa>[^)]+)\) values \((?<bbb>[^)]+)\)" | rex mode=sed field=bbb "s/\\\\\"//g" | makemv aaa delim="," | makemv bbb delim="," | eval a_kvfield = mvzip(aaa, bbb) | extract jam_kv_extract | timechart span=1s per_second(m_value) by m_name

purpose:

extracts fields from a SQL Insert statement so that the values inserted into the database can be manipulated via splunk searches. In this case, it is used in conjunction with splunk stream & mysql, but should work with any source / database technology.

requirements:

comments:

detect time problem : (index time and time being really different)

sourcetype=*
| eval diff=_indextime-_time| eval indextime=strftime(_indextime,"%Y-%m-%d %H:%M:%S")
| table indextime _time diff sourcetype
| where lat!=0
| timechart avg(diff) max(diff) by sourcetype

purpose:

requirements:

comments:

this search simply graph the time difference between the event time and the indexing time by sourcetype : this helps troubleshoot sourcetypes time issues.