topic Timeline visualization using attributes of an single event in Splunk Search https://community.splunk.com/t5/Splunk-Search/Timeline-visualization-using-attributes-of-an-single-event/m-p/574681#M200266 <P>In order to visual a data table with 4 columns: time, resource1, resource2, duration.&nbsp; I know who to do this with data coming from different events.&nbsp; However in my case, all the data is stored in a single performance metric splunk event. The event would look like the blob below where measureStart node contains the start time of these tasks, and the measure node contains the durations of these tasks</P><P>Splunk Event:</P><P>{&nbsp;<BR />&nbsp; &nbsp; &nbsp;measureStart: {<BR />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; "super_Task1: mini task1":&nbsp;<SPAN>2021-11-12T02:50:05.430Z,<BR />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;"super_Task1: mini task2":&nbsp;2021-11-12T02:50:06.430Z,<BR /></SPAN>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;"super_Task2: mini task1":&nbsp;<SPAN>2021-11-12T02:50:07.430Z,</SPAN><SPAN><BR />&nbsp; &nbsp; },<BR />&nbsp; &nbsp; measures: {<BR />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;"super_Task1: mini task1":&nbsp;50,<BR />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;"super_Task1: mini task2":&nbsp;100,<BR />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;"super_Task2: mini task1":&nbsp;80,<BR />&nbsp; &nbsp; }<BR />}</SPAN></P><P><SPAN>I would like to produce a table that looks like this<BR />time&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;supertasks&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; tasks&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; duration<BR />2021-11-12T02:50:05.430Z&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; super_Task1&nbsp; &nbsp; &nbsp; &nbsp; point1&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 50<BR />2021-11-12T02:50:06.430Z&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; super_Task1&nbsp; &nbsp; &nbsp; &nbsp; point2&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;100<BR />2021-11-12T02:50:07.430Z&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; super_Task2&nbsp; &nbsp; &nbsp; &nbsp; point1&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 80<BR /><BR />thank you very much!</SPAN></P> Fri, 12 Nov 2021 03:07:19 GMT Hung_Nguyen 2021-11-12T03:07:19Z Timeline visualization using attributes of an single event https://community.splunk.com/t5/Splunk-Search/Timeline-visualization-using-attributes-of-an-single-event/m-p/574681#M200266 <P>In order to visual a data table with 4 columns: time, resource1, resource2, duration.&nbsp; I know who to do this with data coming from different events.&nbsp; However in my case, all the data is stored in a single performance metric splunk event. The event would look like the blob below where measureStart node contains the start time of these tasks, and the measure node contains the durations of these tasks</P><P>Splunk Event:</P><P>{&nbsp;<BR />&nbsp; &nbsp; &nbsp;measureStart: {<BR />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; "super_Task1: mini task1":&nbsp;<SPAN>2021-11-12T02:50:05.430Z,<BR />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;"super_Task1: mini task2":&nbsp;2021-11-12T02:50:06.430Z,<BR /></SPAN>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;"super_Task2: mini task1":&nbsp;<SPAN>2021-11-12T02:50:07.430Z,</SPAN><SPAN><BR />&nbsp; &nbsp; },<BR />&nbsp; &nbsp; measures: {<BR />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;"super_Task1: mini task1":&nbsp;50,<BR />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;"super_Task1: mini task2":&nbsp;100,<BR />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;"super_Task2: mini task1":&nbsp;80,<BR />&nbsp; &nbsp; }<BR />}</SPAN></P><P><SPAN>I would like to produce a table that looks like this<BR />time&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;supertasks&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; tasks&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; duration<BR />2021-11-12T02:50:05.430Z&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; super_Task1&nbsp; &nbsp; &nbsp; &nbsp; point1&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 50<BR />2021-11-12T02:50:06.430Z&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; super_Task1&nbsp; &nbsp; &nbsp; &nbsp; point2&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;100<BR />2021-11-12T02:50:07.430Z&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; super_Task2&nbsp; &nbsp; &nbsp; &nbsp; point1&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 80<BR /><BR />thank you very much!</SPAN></P> Fri, 12 Nov 2021 03:07:19 GMT https://community.splunk.com/t5/Splunk-Search/Timeline-visualization-using-attributes-of-an-single-event/m-p/574681#M200266 Hung_Nguyen 2021-11-12T03:07:19Z Re: Timeline visualization using attributes of an single event https://community.splunk.com/t5/Splunk-Search/Timeline-visualization-using-attributes-of-an-single-event/m-p/574722#M200276 <LI-CODE lang="markup">| makeresults | eval _raw="{ \"measureStart\": { \"super_Task1: mini task1\": \"2021-11-12T02:50:05.430Z\", \"super_Task1: mini task2\": \"2021-11-12T02:50:06.430Z\", \"super_Task2: mini task1\": \"2021-11-12T02:50:07.430Z\" }, \"measures\": { \"super_Task1: mini task1\": 50, \"super_Task1: mini task2\": 100, \"super_Task2: mini task1\": 80 } }" | spath measureStart | spath measures | spath input=measureStart | spath input=measures | fields - _raw measureStart measures | untable _time task values | rex field=values max_match=0 "(?&lt;values&gt;\S+)" | eval supertask=mvindex(split(task,":"),0) | eval task=trim(mvindex(split(task,":"),1)) | eval _time=strptime(mvindex(values,0),"%Y-%m-%dT%H:%M:%S.%QZ") | eval duration=mvindex(values,1) | fields - values</LI-CODE> Fri, 12 Nov 2021 09:52:48 GMT https://community.splunk.com/t5/Splunk-Search/Timeline-visualization-using-attributes-of-an-single-event/m-p/574722#M200276 ITWhisperer 2021-11-12T09:52:48Z