Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

outcome of stats into timechart

bowa
Path Finder
‎03-31-2011 10:43 AM 
host=myserver JobWrapper | transaction keepevicted=true jobid 
| where job="provisioningJob" | stats max(duration) AS readytime by jobcallerref

our logfiles has different provisioningJobs for each user (identified by the jobcallerref), the 'readytime', the time before the user is fully provisioned is determined by the longest running job.

with the above query i get a list of the longest durations for each user.

now i would like to chart it over time ... i am no longer interested in tje jobcallerref, so i want to graph those 'readytime's over the time they occured.

can't figure out how to feed these results back into a timechart ...

Tags (3)
Reply
1 Solution
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎04-01-2011 07:02 AM

Sounds like you're getting there. Timechart doesnt know what kind of rows you're giving it. Just as long as you give it a _time field it'll happily chart the rows as though they were events.

So this might get you a step closer. 

host=myserver JobWrapper | transaction keepevicted=true jobid 
| where job="provisioningJob" | stats max(_time) as _time max(duration) AS readytime by jobcallerref 
| timechart max(readytime) by jobcallerref

although i suspect you may be hoping for something closer to a Gantt chart, which cant really be done.

View solution in original post

Reply
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎04-01-2011 07:02 AM

Sounds like you're getting there. Timechart doesnt know what kind of rows you're giving it. Just as long as you give it a _time field it'll happily chart the rows as though they were events.

So this might get you a step closer. 

host=myserver JobWrapper | transaction keepevicted=true jobid 
| where job="provisioningJob" | stats max(_time) as _time max(duration) AS readytime by jobcallerref 
| timechart max(readytime) by jobcallerref

although i suspect you may be hoping for something closer to a Gantt chart, which cant really be done.

Reply
Solved! Jump to solution

bowa
Path Finder
‎04-01-2011 06:45 AM 
| stats max(duration) AS readytime, max(_time) as _time by jobcallerref |fields + _time, readytime

Finally found something in the direction of what i want ... the trick was to do also a max() or min() or something on the _time field

Reply
Solved! Jump to solution

LCM
Contributor
‎03-31-2011 11:41 AM

I hope that one works (you'd change span value to something smaller/bigger)

host=myserver JobWrapper | transaction keepevicted=true jobid | where job="provisioningJob" | timechart span=10m max(duration) by jobcallerref
Reply
Solved! Jump to solution

LCM
Contributor
‎03-31-2011 12:57 PM

alright, and sorry for not helping at all - I rate your question up, so maybe some smart guys can take care, or request a feature 🙂

Reply
Solved! Jump to solution

bowa
Path Finder
‎03-31-2011 12:51 PM

i think its just not possible ...

this post is pretty related : http://answers.splunk.com/questions/4142/weirdness-using-max-and-min-in-eval-operating-on-numeric-mu...

the fact that the max() can only be used with stats, timechart and chart is the basic problem ... i would like to use it as a filter, only continue with the max values from multi-value fields.

0 Karma
Reply
Solved! Jump to solution

LCM
Contributor
‎03-31-2011 12:31 PM

hmm, not sure and running out of options 😉 . . .

search | timechart span=10m max(duration) by duration
search | timechart span=10m max(duration)

Reply
Solved! Jump to solution

bowa
Path Finder
‎03-31-2011 11:48 AM

thats not what i ment ... i am no longer interested in the jobcallerrefs in the chart ... just those max values.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...