I've searched here for quite a while and didn't find what I'm looking for, or maybe I'm not wording it correctly...
I need to graph cumulative CPU core usage for multiple events given _time, duration and cpu_usage. Only "start" events are recorded.
For example:
Record A starts at 5:00pm, runs for 30 minutes, uses 10 cores.
Record B starts at 5:10pm, runs for 10 minutes, uses 100 cores.
I need to graph the hill this would result in: 0 cores at before 5:00pm, to 10 cores at 5:00pm, up to 110 cores at 5:10pm until 5:20pm, then back down to 10 cores at 5:20pm then to 0 cores after 5:20pm with no gaps between at intervals of 10 minutes.
concurrency doesn't work since it only counts the number of overlapping events and I need to take a sum against a field within overlapping events. Currently I have this query which is close but only shows instantaneous usage at the time the matching/overlapping records were created (no duration):
index=... source="..." (selection query) | dedup jobid | eval endt=_time+duration | stats min(_time) as start max(endt) as end sum(cpus) as cpus by _time | timechart span=10m sum(cpus)
... View more