Splunk Search

How to show a timeline of concurrent transactions

joelbyrnes
Engager

Hi,

I'm trying to create a chart showing batch jobs on a timeline, in the manner of an evolutionary or geological timeline, such as this: http:// img4.wikia.nocookie.net/__cb20090528015750/wcg/images/a/a5/ Timeline.svg

Not a timeline like the bar chart at the top of the search page; multiple rows of one or more line segments indicating start and end time.

These batch jobs have a name and a variable duration, and I am most interested to see when they overlap, so they need to be on separate lines. I managed to adapt the below example so that each named batch had a row number, and could see the line. However, this breaks down when you try to increase the duration to cover multiple batch instances - the chart joins them together which is not desired.

https://wiki.splunk.com/Community:Search_Report:_How_To_Create_a_Line_Chart_of_Search_Duration_in_Ti...

Currently my query looks like this:

index="foobar" sourcetype="events" | eval TT=_time | transaction BATCH_REFERENCE | search duration>300 | sort -_time | streamstats count AS row | mvexpand TT | eval _time=TT | table _time row TT BATCH_REFERENCE CLIENT_NAME BATCH_NAME | eval app_batch=CLIENT_NAME+"-"+BATCH_NAME+"_"+row | timechart limit=50 avg(row) by app_batch

So it creates a transaction list, with the times as a variable, adds a unique number for each transaction so they can be on separate lines, separates the transaction back into individual events, and then aggregates them by client, batch and individual batch instance (row) so the points can be plotted on a timechart in a straight line.

This is not ideal and worse, the chart is trying to be "helpful" by combining/aggregating points close to eachother that are not actually related. I have to separate them by means of putting batch instances on different lines, but would rather one client-batch was per line and had disconnected segments for each batch instance. Or at least that they were the same colour.

Also if you have any other ways of doing this outside Splunk I'm all ears. I have also looked for JavaScript or other libraries for creating timelines from start and end events, and am surprised that there seems to be nothing. The best seems to be a hack on a stacked bar chart which isn't quite right.

Beyond that, I then want to look for batches running concurrently on the same box, which would be even more complicated to visualise...

Thanks in advance for any tips or advice.

Joel

quixand
Path Finder
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...