Splunk Search

How to display a chart with search jobs and the time range within they run?

rvisj
New Member

I have some jobs, which have some time frame to run. Every job belongs to some track.
My purpose is to plot Track vs Time-range chart for those jobs.
I tried using chart and timechart but they have to have some aggregate function on on axis. In this case it is not necessary.
Any tips will be helpful!!

Tags (3)
0 Karma

woodcock
Esteemed Legend

Use first as your aggregate function.

Or perhaps try the contingency function, like this:

... | contingency Track Time-range
0 Karma

DalJeanis
SplunkTrust
SplunkTrust

If it is not necessary, for example because you have already computed the single value you want for each time period, then you can use any of min or max or avg because they will all give the same result.

0 Karma

rvisj
New Member

I have to display time- range, (start-time and end-time) Vs Track. So when using either aggregate function it will return single value, but it should be time range. I am trying using Timeline Visualization.

0 Karma

rvisj
New Member
0 Karma

cmerriman
Super Champion

what is your current syntax?

0 Karma

niketn
Legend

@rvisj... If you have start time and end time (to come up with duration), please check out the Timeline custom visualization : https://splunkbase.splunk.com/app/3120/

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

rvisj
New Member

yes I tried, almost got it. one issue remaining is I have to show separate timeline for each event, not overlapped.
Query:
/source/ | rename "Date Event Began" AS start_date | rename "Date of Restoration" AS end_date | rename "Time Event Began" AS start_time | rename "Time of Restoration" AS end_time | eval _time = strptime(start_date." ".start_time, "%m/%d/%Y %H:%M") | eval end_time = strptime(end_date." ".end_time, "%m/%d/%Y %H:%M") | eval duration = (end_time - _time) * 1000 |stats count by _time, Track, duration, "job" | table _time "Track" "job" duration

I want to skip Track and display separate timeline for each job in that track hence avoiding overlap

0 Karma

rvisj
New Member

correction: I want to skip group by track

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...