- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- outcome of stats into timechart
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
host=myserver JobWrapper | transaction keepevicted=true jobid
| where job="provisioningJob" | stats max(duration) AS readytime by jobcallerref
our logfiles has different provisioningJobs for each user (identified by the jobcallerref), the 'readytime', the time before the user is fully provisioned is determined by the longest running job.
with the above query i get a list of the longest durations for each user.
now i would like to chart it over time ... i am no longer interested in tje jobcallerref, so i want to graph those 'readytime's over the time they occured.
can't figure out how to feed these results back into a timechart ...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sounds like you're getting there. Timechart doesnt know what kind of rows you're giving it. Just as long as you give it a _time field it'll happily chart the rows as though they were events.
So this might get you a step closer.
host=myserver JobWrapper | transaction keepevicted=true jobid
| where job="provisioningJob" | stats max(_time) as _time max(duration) AS readytime by jobcallerref
| timechart max(readytime) by jobcallerref
although i suspect you may be hoping for something closer to a Gantt chart, which cant really be done.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sounds like you're getting there. Timechart doesnt know what kind of rows you're giving it. Just as long as you give it a _time field it'll happily chart the rows as though they were events.
So this might get you a step closer.
host=myserver JobWrapper | transaction keepevicted=true jobid
| where job="provisioningJob" | stats max(_time) as _time max(duration) AS readytime by jobcallerref
| timechart max(readytime) by jobcallerref
although i suspect you may be hoping for something closer to a Gantt chart, which cant really be done.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| stats max(duration) AS readytime, max(_time) as _time by jobcallerref |fields + _time, readytime
Finally found something in the direction of what i want ... the trick was to do also a max() or min() or something on the _time field
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I hope that one works (you'd change span value to something smaller/bigger)
host=myserver JobWrapper | transaction keepevicted=true jobid | where job="provisioningJob" | timechart span=10m max(duration) by jobcallerref
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
alright, and sorry for not helping at all - I rate your question up, so maybe some smart guys can take care, or request a feature 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i think its just not possible ...
this post is pretty related : http://answers.splunk.com/questions/4142/weirdness-using-max-and-min-in-eval-operating-on-numeric-mu...
the fact that the max() can only be used with stats, timechart and chart is the basic problem ... i would like to use it as a filter, only continue with the max values from multi-value fields.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hmm, not sure and running out of options 😉 . . .
search | timechart span=10m max(duration) by duration
search | timechart span=10m max(duration)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thats not what i ment ... i am no longer interested in the jobcallerrefs in the chart ... just those max values.
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
