I want to set up a timechart, showing three different status. Now I found this SPL online, which was modified by myself. The problem still is that it only shows the time range of the last STATUS. How can I adapt the other ones to the chart?
| makeresults
| eval _raw = "DATETIME: 2017-07-11 08:04:06.99 -0700 STATUS: STATUS1 MSGTXT: ENDED - TIME=08.04.06"
| eval _time = strptime("2017-07-11 08:04:06.99 -0700","%Y-%m-%d %H:%M:%S")
| eval _raw = "DATETIME: 2017-07-11 08:04:06.99 -0700 STATUS: STATUS2 MSGTXT: ENDED - TIME=08.04.06"
| eval _time = strptime("2017-07-11 08:00:06.99 -0700","%Y-%m-%d %H:%M:%S")
| eval _raw = "DATETIME: 2017-07-11 08:04:06.99 -0700 STATUS: STAU MSGTXT: ENDED - TIME=08.04.06"
| eval _time = strptime("2017-07-11 08:04:06.99 -0700","%Y-%m-%d %H:%M:%S")
| append [| makeresults
| eval _raw = "DATETIME: 2017-07-11 06:53:40.50 -0700 STATUS: STATUS1 MSGTXT: STARTED - TIME=06.53.40 "
| eval _time = strptime("2017-07-11 06:53:40.50 -0700","%Y-%m-%d %H:%M:%S")]
| append [| makeresults
| eval _raw = "DATETIME: 2017-07-11 06:53:40.50 -0700 STATUS: STATUS2 MSGTXT: STARTED - TIME=06.53.40 "
| eval _time = strptime("2017-07-11 06:53:40.50 -0700","%Y-%m-%d %H:%M:%S")
| append [| makeresults
| eval _raw = "DATETIME: 2017-07-11 06:53:40.50 -0700 STATUS: STAU MSGTXT: STARTED - TIME=06.53.40 "
| eval _time = strptime("2017-07-11 06:53:40.50 -0700","%Y-%m-%d %H:%M:%S")
| rex field=_raw "STATUS:\s+(?<STATUS>\w+)\s+"
| stats min(_time) as _time max(_time) as ENDTIME by STATUS
| eval duration=ENDTIME-_time
| table _time STATUS duration
... View more