Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How create line chart using Time (Hour) in Y-axis and Date (Days) in X-axis

julio19
Explorer
‎08-17-2017 11:39 AM

Hi Guys,

Well, I have this structured log:
MEMBER, JOBNAME, JOBID, DATE_START, HOUR_START, DATE_END, HOUR_END, DURATION, GROUP, CPUTIME
PLCZBA20,PLCZBA20,21010,07/26/17,17:00,07/26/17,17:00,00:11,UAT,00:00.3
PLCADA20,PLCADA20,21008,07/26/17,17:00,07/26/17,17:00,00:11,UAT,00:00.4

And I'm trying to create next chart (for example):

alt text

I comment on them, the field DURATION is in the following format %M:%S and fields HOUR_START & HOUR_END in %H:M%,
now the field _time take correctly start date and time.

I was trying with this query, but it didn't convert to display time in the Y-axis and I'm not sure if this is the right way.

MYSEARCH
| bucket _time span=1d
| rex field=DURATION "(?<Mins>.{2}+):(?<Sec>.{2}+)" 
| fillnull value=0
| eval secs=Mins*60+Sec
| eval duration = secs * 1000 
| stats count by _time, duration, "JOBNAME"
| table _time "JOBNAME"  duration
| convert timeformat="%H:%M" ctime(duration) AS duration
| chart max(duration) over _time by JOBNAME

Can someone help me please!!

regards..

Preview file
1 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

DalJeanis
Legend
‎08-17-2017 03:20 PM

Interesting use case.

Okay, so you have dates across the bottom, and you have jobs that always run in sequence, and you need to know when they ran, so you're making the equivalent of a stacked bar chart and visually conforming it to a line chart...

Okay, you can GET the graph, that's not a problem. Strip your problem back to understanding what will put the points on the graph...

Your target events basically have this format... 

_time   (the display date), 
RunTime (the number of seconds after midnight they ran)
JobStep (the title for that series)

...but really, your production window looks like 10PM to 11AM, so that format needs to be modified to... 

_time   (the display date... the date of the prior night)
RunTime (the number of seconds after window-start that they ran)
JobStep (the title for that series)

When you put it into that format, you can get your desired line graphs. The main problem is the lack of being able to format the y axis, especially when you're rolling over from p to a.

My temptation on this one would be to bump the date up to the next day and calculate the decimal hours, so that the left axis starts at -2 for 10pm and goes up to +12 for noon.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

DalJeanis
Legend
‎08-17-2017 03:20 PM

Interesting use case.

Okay, so you have dates across the bottom, and you have jobs that always run in sequence, and you need to know when they ran, so you're making the equivalent of a stacked bar chart and visually conforming it to a line chart...

Okay, you can GET the graph, that's not a problem. Strip your problem back to understanding what will put the points on the graph...

Your target events basically have this format... 

_time   (the display date), 
RunTime (the number of seconds after midnight they ran)
JobStep (the title for that series)

...but really, your production window looks like 10PM to 11AM, so that format needs to be modified to... 

_time   (the display date... the date of the prior night)
RunTime (the number of seconds after window-start that they ran)
JobStep (the title for that series)

When you put it into that format, you can get your desired line graphs. The main problem is the lack of being able to format the y axis, especially when you're rolling over from p to a.

My temptation on this one would be to bump the date up to the next day and calculate the decimal hours, so that the left axis starts at -2 for 10pm and goes up to +12 for noon.

0 Karma
Reply
Solved! Jump to solution

kingwaras
Engager
‎05-15-2019 04:01 AM

Hi @julio19,

can you paste the complete code of your query graph?
I have the same problem.

Thanks in advance.

0 Karma
Reply
Solved! Jump to solution

tmarlette
Motivator
‎08-17-2017 03:01 PM

I'm a little fuzzy on what you're trying to do, however you may what to use the |timechart command

| timechart span=1h will give you hourly buckets of things

so maybe

 <my_root_search> 
 | rex field=DURATION "(?<Mins>.{2}+):(?<Sec>.{2}+)" 
 | fillnull value=0
 | eval secs=Mins*60+Sec
 | eval duration = secs * 1000 
 | timechart span=1h max(duration) AS duration by JOBNAME
0 Karma
Reply
Solved! Jump to solution

julio19
Explorer
‎08-17-2017 03:20 PM

First thanks for yout time, is correctly query but, i can show time in Y-axis in one format similar to the image %H:%M:%S

This is possible? or exist any app that can help me?

0 Karma
Reply
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...