Splunk Search

Swimlanes in Splunk Enterprise

ash2l
Path Finder

Hello,

My business requirement is to have a view that shows the number of batch jobs on the Y-axis and the Time (in hour) on the X-axis. The rows events I have is looks something like below:

2016-06-20T12:01:46.000 JOB_ID=1 JOB_START_TIME=1466438400.000 JOB_END_TIME=1466442106.714 JOB_NAME=Hello_job 

For this event, _time is based on when the row is inserted to the database table which gets updated once the job finishes executing. From this event, what I need to do is:

1) Grab the start time and the end time
2) Divide the difference between start time and end time by hours
3) Tag the event with the hours
4) Increment a count for each of those hours for this job

There are multiple jobs running the system, so I might need to find the min or start times and max of end times to find out the entire range.

If I select for yesterday's time in the dashboard (_time), then it should show me all the jobs that had completed yesterday with a swim lane of number of jobs executing at a given hour.

Example:

_time                Job ID   Job_Start_time        Job_End_time
6/16/2016 1:30 AM    Job 1    6/15/2016 11:00 PM    6/16/2016 1:20 AM
6/16/2016 3:55 AM    Job 2    6/16/2016 1:00 AM     6/16/2016 3:50 AM
6/16/2016 3:56 AM    Job 3    6/16/2016 2:00 AM     6/16/2016 3:55 AM
6/16/2016 4:12 AM    Job 3    6/16/2016 3:20 AM     6/16/2016 4:10 AM

The chart should be like following:

Job1  |  1     1     0     0     0
Job2  |  0     1     1     1     1
Job3  |  0     0     1     2     1
-------------------------------------------
hrs==    12    1     2     3     4   

Note that there were total of two Job3 executing between 3 AM to 4 AM timeframe which shows up in the chart.

I guess it's hard to explain, but let me know if you have any questions to solve this puzzle
Appreciate your help.

0 Karma
1 Solution

ash2l
Path Finder
0 Karma

ash2l
Path Finder
0 Karma

sundareshr
Legend

Which splunk version are you using? Have you looked at the timeline app? This might simplify your view. Just a thought.

0 Karma

ash2l
Path Finder

That's exactly what I need :). Unfortunately we are still on 6.3, is there any way to create a search query of whatever is done behind the scene for that app?

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...