https://community.splunk.com/t5/Splunk-Search/Histogram-Chart-Question/m-p/58246#M14228 <P>Greetings, I am struggling to create a chart to show when our backups begin and end for each server. The purpose is to show how many over lapping backups are running at a single time so that we can stagger them as not to overload our NAS.</P> <P>We are indexing messages for backups as such:</P> <P>When it starts: host=hostname name=backup action=begin<BR /> When it ends: host=hostname name=backup action=end</P> <P>I would like something similar to<BR /></P> <P><EM>Hostname: &nbsp; &nbsp; &nbsp; &nbsp; Time</EM> <BR /> Host1:&nbsp;&nbsp;&nbsp; &nbsp; &nbsp; &nbsp; [======]<BR /> Host2:&nbsp; &nbsp; &nbsp; &nbsp; [=====]<BR /> Host3: &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; [===]<BR /> etc. <BR /><BR /> That is my vision - a nice simple way to see when backups start/end for each host. <BR /></P> <P>Any help or a point in the right direction would be much appreciated.</P> <P>Thanks</P> Sat, 12 Mar 2011 05:33:47 GMT rebourne 2011-03-12T05:33:47Z https://community.splunk.com/t5/Splunk-Search/Histogram-Chart-Question/m-p/58246#M14228 <P>Greetings, I am struggling to create a chart to show when our backups begin and end for each server. The purpose is to show how many over lapping backups are running at a single time so that we can stagger them as not to overload our NAS.</P> <P>We are indexing messages for backups as such:</P> <P>When it starts: host=hostname name=backup action=begin<BR /> When it ends: host=hostname name=backup action=end</P> <P>I would like something similar to<BR /></P> <P><EM>Hostname: &nbsp; &nbsp; &nbsp; &nbsp; Time</EM> <BR /> Host1:&nbsp;&nbsp;&nbsp; &nbsp; &nbsp; &nbsp; [======]<BR /> Host2:&nbsp; &nbsp; &nbsp; &nbsp; [=====]<BR /> Host3: &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; [===]<BR /> etc. <BR /><BR /> That is my vision - a nice simple way to see when backups start/end for each host. <BR /></P> <P>Any help or a point in the right direction would be much appreciated.</P> <P>Thanks</P> Sat, 12 Mar 2011 05:33:47 GMT https://community.splunk.com/t5/Splunk-Search/Histogram-Chart-Question/m-p/58246#M14228 rebourne 2011-03-12T05:33:47Z https://community.splunk.com/t5/Splunk-Search/Histogram-Chart-Question/m-p/58247#M14229 <P>You probably want to combine <CODE>transaction</CODE> with <CODE>concurrency</CODE></P> <PRE><CODE>... | transaction host name startswith=("action=begin") endswith=("action=end") | concurrency duration=duration </CODE></PRE> <P>This will list your backups, each with an additional field <CODE>concurrency</CODE> indicating the number of backups running at the start of that backup</P> Sat, 12 Mar 2011 09:25:49 GMT https://community.splunk.com/t5/Splunk-Search/Histogram-Chart-Question/m-p/58247#M14229 gkanapathy 2011-03-12T09:25:49Z https://community.splunk.com/t5/Splunk-Search/Histogram-Chart-Question/m-p/58248#M14230 <P>Excellent! Thank you! I now have the duration of the events. Is there a way to have the duration show at the time that the event started? I am close with:</P> <P>... | transaction host name startswith=("action=begin") endswith=("action=end") | concurrency duration=duration | timechart span=10m sum(duration) by host</P> <P>This gets me close but the duration does not match up with the time. Ideas?</P> <P>Thank you for your time!</P> Tue, 15 Mar 2011 00:34:12 GMT https://community.splunk.com/t5/Splunk-Search/Histogram-Chart-Question/m-p/58248#M14230 rebourne 2011-03-15T00:34:12Z https://community.splunk.com/t5/Splunk-Search/Histogram-Chart-Question/m-p/58249#M14231 <P>the <CODE>transaction</CODE> command adds a <CODE>duration</CODE> field to each transaction it assembles. Is that not what you need to see? So every transaction group will have <CODE>_time</CODE> and <CODE>duration</CODE> fields.</P> Tue, 15 Mar 2011 01:09:05 GMT https://community.splunk.com/t5/Splunk-Search/Histogram-Chart-Question/m-p/58249#M14231 gkanapathy 2011-03-15T01:09:05Z https://community.splunk.com/t5/Splunk-Search/Histogram-Chart-Question/m-p/58250#M14232 <P>I do see the duration. However when I graph the duration, it is graphing it as a value, not time. Is there a way to graph the duration over time? For example, action=begin would be at 1am and action=end would be at 2am. I would like to graph between 1am to 2am for host1, whereas host2 would be from 1:30am-2am.</P> Tue, 15 Mar 2011 02:37:22 GMT https://community.splunk.com/t5/Splunk-Search/Histogram-Chart-Question/m-p/58250#M14232 rebourne 2011-03-15T02:37:22Z https://community.splunk.com/t5/Splunk-Search/Histogram-Chart-Question/m-p/58251#M14233 <P>Oh I see, you want a concurrency chart like Gantt-type chart. Unfortunately, Splunk's charting modules don't display these easily with Splunk's data, and I haven't been able to come up with a good way to make it work. I suppose I'd just file an enhancement request. Note that Splunk's own <CODE>dbinspect</CODE> command displays a chart like what you want, but it does some ugly hacking to generate data to fit the display capabilities of the Splunk charting modules.</P> Tue, 15 Mar 2011 03:44:32 GMT https://community.splunk.com/t5/Splunk-Search/Histogram-Chart-Question/m-p/58251#M14233 gkanapathy 2011-03-15T03:44:32Z https://community.splunk.com/t5/Splunk-Search/Histogram-Chart-Question/m-p/58252#M14234 <P>I wanted to do something similar. So very easy to to in HTML - and common. Wonder why this is such a roadblock for Splunk.<BR /> Thanks</P> Wed, 07 May 2014 21:38:14 GMT https://community.splunk.com/t5/Splunk-Search/Histogram-Chart-Question/m-p/58252#M14234 dmcguerty 2014-05-07T21:38:14Z