How to setup a timechart showing three different s...

ThomasLehenberg · ‎04-04-2018

I want to set up a timechart, showing three different status. Now I found this SPL online, which was modified by myself. The problem still is that it only shows the time range of the last STATUS. How can I adapt the other ones to the chart?

| makeresults
     | eval _raw = "DATETIME:     2017-07-11 08:04:06.99 -0700    STATUS:     STATUS1    MSGTXT:     ENDED - TIME=08.04.06"
     | eval _time = strptime("2017-07-11 08:04:06.99 -0700","%Y-%m-%d %H:%M:%S") 
     | eval _raw = "DATETIME:     2017-07-11 08:04:06.99 -0700    STATUS:     STATUS2    MSGTXT:     ENDED - TIME=08.04.06"
     | eval _time = strptime("2017-07-11 08:00:06.99 -0700","%Y-%m-%d %H:%M:%S")
     | eval _raw = "DATETIME:     2017-07-11 08:04:06.99 -0700    STATUS:     STAU  MSGTXT:     ENDED - TIME=08.04.06"
     | eval _time = strptime("2017-07-11 08:04:06.99 -0700","%Y-%m-%d %H:%M:%S")
     | append [| makeresults 
               | eval _raw = "DATETIME:     2017-07-11 06:53:40.50 -0700   STATUS:     STATUS1    MSGTXT:     STARTED - TIME=06.53.40 "
               | eval _time = strptime("2017-07-11 06:53:40.50 -0700","%Y-%m-%d %H:%M:%S")]
  | append [| makeresults 
               | eval _raw = "DATETIME:     2017-07-11 06:53:40.50 -0700   STATUS:     STATUS2    MSGTXT:     STARTED - TIME=06.53.40 "
               | eval _time = strptime("2017-07-11 06:53:40.50 -0700","%Y-%m-%d %H:%M:%S")
                 | append [| makeresults 
               | eval _raw = "DATETIME:     2017-07-11 06:53:40.50 -0700   STATUS:     STAU    MSGTXT:     STARTED - TIME=06.53.40 "
               | eval _time = strptime("2017-07-11 06:53:40.50 -0700","%Y-%m-%d %H:%M:%S")
     | rex field=_raw "STATUS:\s+(?<STATUS>\w+)\s+"
     | stats min(_time) as _time max(_time) as ENDTIME by STATUS
     | eval duration=ENDTIME-_time
     | table _time STATUS duration

Azeemering · ‎04-05-2018

Simple example:

Lets's say you have 3 events:

2017-07-11 08:04:07.99 STATUS=STARTED
2017-07-11 08:04:08.99 STATUS=ENDED
2017-07-11 08:04:09.99 STATUS=RUNNING

See: https://imgur.com/a/7gRrw

You can run your spl query:

source="timechart.txt" sourcetype="sourcetypestatus" | timechart count by STATUS.
You will get a table where _time is the first column (X-Axis) and the subsequent columns (STARTED ENDED and RUNNING) provide the Y-Axis values).

See: https://imgur.com/a/03yol

This is the simplest form of timecharting results

ThomasLehenberg · ‎04-05-2018

Hi,

thanks for the quick response.
i'm going to add a screenshot
As you can see, it only shows the last status, and a timeline showing the duration of the "process". I'd like to see the duration of the other two processes as well. This is my problem.

kmaron · ‎04-04-2018

There are some issues with the SPL you pasted. But I also don't see a timechart. What value are you trying to timechart?

How to setup a timechart showing three different statuses?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!