Splunk Search

Create a stacked bar chart based on transactions

zd00191
Communicator

I have transactions with a start time and end time. I have created a search to get the 10 jobs with the largest durations for each day of the week over the last seven days. I want to create a stacked bar chart that will display the day on the vertical access with the 10 jobs with the largest average duration stacked on top of each other. The horizontal axis needs to be the duration. Here is my search. Any help is much appreciated!

index=ko_autosys sourcetype=autosys_applog_scheduler_events host="usatlb98" OR host="usatlb91" System="SAP FILO" JOB_NAME="*" | transaction JOB_NAME startswith="START*" unifyends=true |convert timeformat="%b %d, %Y %I:%M:%S %P" ctime(_time) AS "Start Time" |top 10 avg(duration), JOB_NAME by date_wday
0 Karma
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

Something along these lines:

...  | transaction JOB_NAME startswith="START*" unifyends=true | timechart limit=10 span=1d useother=f avg(duration) by JOB_NAME

Based on your description it sounds as if you'll want to display this as a stacked bar chart, making the horizontal X-axis display the duration.

View solution in original post

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Something along these lines:

...  | transaction JOB_NAME startswith="START*" unifyends=true | timechart limit=10 span=1d useother=f avg(duration) by JOB_NAME

Based on your description it sounds as if you'll want to display this as a stacked bar chart, making the horizontal X-axis display the duration.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

So... you want each block to be the same length, regardless of duration?

If so, add an eval duration = 1 between the transaction and the timechart.

0 Karma

zd00191
Communicator

Each transaction is a job run.

In the last seven days,

For each day, show me the top ten jobs with the longest average duration

In other words, calculate the top ten jobs withe longest average duration for each day and then display those ten jobs stacked on top of one another for each day based on the duration length.

The duration length should be on the horizontal axis, and each day ofthe week should be on the vertical axis with 10 sections per bar, one bar per day. Each section of the bar represents one of the top ten jobs with the longest average duration for that day

0 Karma

zd00191
Communicator

I would like to have it where each day has ten stacked blocks. In other words, I want the ten jobs with the longest average duration over the last seven days

When I use the above, I get the ten jobs with the longest average duration over the last 7 days with each block being how long that job run took. Do you get what I am saying? Thanks by the way.

0 Karma

zd00191
Communicator

There should be a total of seventy bars on the chart. 10 stacked based on duration per day

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...