https://community.splunk.com/t5/Splunk-Search/outcome-of-stats-into-timechart/m-p/71930#M17983 <PRE><CODE>host=myserver JobWrapper | transaction keepevicted=true jobid | where job="provisioningJob" | stats max(duration) AS readytime by jobcallerref </CODE></PRE> <P>our logfiles has different provisioningJobs for each user (identified by the jobcallerref), the 'readytime', the time before the user is fully provisioned is determined by the longest running job.</P> <P>with the above query i get a list of the longest durations for each user.</P> <P>now i would like to chart it over time ... i am no longer interested in tje jobcallerref, so i want to graph those 'readytime's over the time they occured. </P> <P>can't figure out how to feed these results back into a timechart ... </P> Thu, 31 Mar 2011 17:43:50 GMT bowa 2011-03-31T17:43:50Z https://community.splunk.com/t5/Splunk-Search/outcome-of-stats-into-timechart/m-p/71930#M17983 <PRE><CODE>host=myserver JobWrapper | transaction keepevicted=true jobid | where job="provisioningJob" | stats max(duration) AS readytime by jobcallerref </CODE></PRE> <P>our logfiles has different provisioningJobs for each user (identified by the jobcallerref), the 'readytime', the time before the user is fully provisioned is determined by the longest running job.</P> <P>with the above query i get a list of the longest durations for each user.</P> <P>now i would like to chart it over time ... i am no longer interested in tje jobcallerref, so i want to graph those 'readytime's over the time they occured. </P> <P>can't figure out how to feed these results back into a timechart ... </P> Thu, 31 Mar 2011 17:43:50 GMT https://community.splunk.com/t5/Splunk-Search/outcome-of-stats-into-timechart/m-p/71930#M17983 bowa 2011-03-31T17:43:50Z https://community.splunk.com/t5/Splunk-Search/outcome-of-stats-into-timechart/m-p/71931#M17984 <P>I hope that one works (you'd change span value to something smaller/bigger)</P> <PRE><CODE>host=myserver JobWrapper | transaction keepevicted=true jobid | where job="provisioningJob" | timechart span=10m max(duration) by jobcallerref </CODE></PRE> Thu, 31 Mar 2011 18:41:55 GMT https://community.splunk.com/t5/Splunk-Search/outcome-of-stats-into-timechart/m-p/71931#M17984 LCM 2011-03-31T18:41:55Z https://community.splunk.com/t5/Splunk-Search/outcome-of-stats-into-timechart/m-p/71932#M17985 <P>thats not what i ment ... i am no longer interested in the jobcallerrefs in the chart ... just those max values.</P> Thu, 31 Mar 2011 18:48:36 GMT https://community.splunk.com/t5/Splunk-Search/outcome-of-stats-into-timechart/m-p/71932#M17985 bowa 2011-03-31T18:48:36Z https://community.splunk.com/t5/Splunk-Search/outcome-of-stats-into-timechart/m-p/71933#M17986 <P>hmm, not sure and running out of options <span class="lia-unicode-emoji" title=":winking_face:">😉</span> . . .</P> <P>search | timechart span=10m max(duration) by duration<BR /> search | timechart span=10m max(duration)</P> Thu, 31 Mar 2011 19:31:32 GMT https://community.splunk.com/t5/Splunk-Search/outcome-of-stats-into-timechart/m-p/71933#M17986 LCM 2011-03-31T19:31:32Z https://community.splunk.com/t5/Splunk-Search/outcome-of-stats-into-timechart/m-p/71934#M17987 <P>i think its just not possible ...</P> <P>this post is pretty related : <A href="http://answers.splunk.com/questions/4142/weirdness-using-max-and-min-in-eval-operating-on-numeric-multivalue-fields">http://answers.splunk.com/questions/4142/weirdness-using-max-and-min-in-eval-operating-on-numeric-multivalue-fields</A></P> <P>the fact that the max() can only be used with stats, timechart and chart is the basic problem ... i would like to use it as a filter, only continue with the max values from multi-value fields.</P> Thu, 31 Mar 2011 19:51:33 GMT https://community.splunk.com/t5/Splunk-Search/outcome-of-stats-into-timechart/m-p/71934#M17987 bowa 2011-03-31T19:51:33Z https://community.splunk.com/t5/Splunk-Search/outcome-of-stats-into-timechart/m-p/71935#M17988 <P>alright, and sorry for not helping at all - I rate your question up, so maybe some smart guys can take care, or request a feature <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Thu, 31 Mar 2011 19:57:29 GMT https://community.splunk.com/t5/Splunk-Search/outcome-of-stats-into-timechart/m-p/71935#M17988 LCM 2011-03-31T19:57:29Z https://community.splunk.com/t5/Splunk-Search/outcome-of-stats-into-timechart/m-p/71936#M17989 <PRE><CODE>| stats max(duration) AS readytime, max(_time) as _time by jobcallerref |fields + _time, readytime </CODE></PRE> <P>Finally found something in the direction of what i want ... the trick was to do also a max() or min() or something on the _time field</P> Fri, 01 Apr 2011 13:45:24 GMT https://community.splunk.com/t5/Splunk-Search/outcome-of-stats-into-timechart/m-p/71936#M17989 bowa 2011-04-01T13:45:24Z https://community.splunk.com/t5/Splunk-Search/outcome-of-stats-into-timechart/m-p/71937#M17990 <P>Sounds like you're getting there. Timechart doesnt know what <EM>kind</EM> of rows you're giving it. Just as long as you give it a _time field it'll happily chart the rows as though they were events. </P> <P>So this might get you a step closer. </P> <PRE><CODE>host=myserver JobWrapper | transaction keepevicted=true jobid | where job="provisioningJob" | stats max(_time) as _time max(duration) AS readytime by jobcallerref | timechart max(readytime) by jobcallerref </CODE></PRE> <P>although i suspect you may be hoping for something closer to a Gantt chart, which cant really be done.</P> Fri, 01 Apr 2011 14:02:05 GMT https://community.splunk.com/t5/Splunk-Search/outcome-of-stats-into-timechart/m-p/71937#M17990 sideview 2011-04-01T14:02:05Z