topic Re: Visualize ongoing actions based on start/stop time in Splunk Search

How to visualize ongoing actions based on start/stop time?

karjsim — Tue, 08 Nov 2022 15:43:26 GMT

Hi,

I have events which are received when action is finished on my system. Event contains start and stop time for action and unique action_id. So my event data is something like this:

I would like to get count of ongoing actions e.g with one minute resolution over selected time frame.

How to do that ?

Re: Visualize ongoing actions based on start/stop time

gcusello — Mon, 07 Nov 2022 08:04:39 GMT

Hi @karjsim,

you could try something like this:

<your_search> | eval diff=round((stoptime-starttime)/60,0)) | stats count BY diff

Ciao.

Giuseppe

Re: Visualize ongoing actions based on start/stop time

karjsim — Mon, 07 Nov 2022 08:14:38 GMT

Hi,

That does not show me how many actions are ongoing . What I want is to get count of ongoing actions e.g for every minute for last 24h. So basically like timechart of ongoing actions overtime but the problem is that since I have only one event which contains start/stop times of action I cannot use timechart.

Re: Visualize ongoing actions based on start/stop time

ITWhisperer — Mon, 07 Nov 2022 08:21:43 GMT

Try something like this

Re: Visualize ongoing actions based on start/stop time

karjsim — Mon, 07 Nov 2022 08:48:37 GMT

Hi,

It does not provide the needed result either. What I need is count of ongoing actions for e.g every minute.

Something like this:

Problem is that how to count ongoing actions on each time ? Somehow it should be searched if that time is between actions start - stop time and if it is action is ongoing on that time ?

Re: Visualize ongoing actions based on start/stop time

ITWhisperer — Mon, 07 Nov 2022 08:54:16 GMT

Try something like this

``` Duplicate events with start and end times ``` | eval time=mvappend(starttime, endtime) | mvexpand time ``` Reset event time ``` | eval _time=time ``` Determine if start or end event ``` | eval event=if(_time=starttime,1,-1) ``` Bucket into minutes ``` | bin _time span=1m ``` Move end time to next minute ``` | eval _time=if(event=-1,_time+60,_time) ``` Sort by _time ``` | sort 0 -time ``` Count events started in each minute minus those finished in the previous minute ``` | timechart sum(event) as ongoing span=1m

Re: Visualize ongoing actions based on start/stop time

karjsim — Mon, 07 Nov 2022 09:20:33 GMT

Hi,

I don't think that you understand my problem.

These actions on my system can be long lasting e.g hours or short e.g minutes from each action I have get one event after action is finished (which contains start/stop times and unique action_id).

And I would like to know how many actions were ongoing in each minute e.g in past 24h.

Re: Visualize ongoing actions based on start/stop time

ITWhisperer — Mon, 07 Nov 2022 09:47:51 GMT

Thank you for explaining your problem in more detail - try something like this

``` Duplicate events with start and end times ``` | eval time=mvappend(starttime, endtime) | mvexpand time ``` Reset event time ``` | eval _time=time ``` Determine if start or end event ``` | eval event=if(_time=starttime,1,-1) ``` Bucket into minutes ``` | bin _time span=1m ``` Move end time to next minute ``` | eval _time=if(event=-1,_time+60,_time) ``` Sort by _time ``` | sort 0 _time ``` Count events started in each minute minus those finished in the previous minute ``` | streamstats sum(event) as ongoing ``` Take maximum for each minute ``` | stats max(ongoing) as ongoing by _time ``` Fill in intervening minutes ``` | makecontinuous _time span=1m ``` Fill in ongoing values ``` | filldown ongoing

Re: Visualize ongoing actions based on start/stop time

karjsim — Mon, 07 Nov 2022 10:23:36 GMT

This will give me negative decreasing ongoing value over time.
Also you are now just focusing to start/stop times but you also need to take account that different actions can start or stop at the same time. I think that also action_id should be taken into account in search ?

Re: Visualize ongoing actions based on start/stop time

ITWhisperer — Mon, 07 Nov 2022 10:46:38 GMT

Please share your search - it sounds like you may have changed _time before determining the event type

Alternatively, you could do it this way

``` Duplicate events ``` | eval event=mvrange(1,3) | mvexpand event ``` Reset event time ``` | eval _time=if(event=1,starttime,endtime) ``` Determine if start or end event ``` | eval event=if(event=1,1,-1) ``` Bucket into minutes ``` | bin _time span=1m ``` Move end time to next minute ``` | eval _time=if(event=-1,_time+60,_time) ``` Sort by _time ``` | sort 0 _time ``` Count events started in each minute minus those finished in the previous minute ``` | streamstats sum(event) as ongoing ``` Take maximum for each minute ``` | stats max(ongoing) as ongoing by _time ``` Fill in intervening minutes ``` | makecontinuous _time span=1m ``` Fill in ongoing values ``` | filldown ongoing

You shouldn't need to take eventId into account so long as there is just one event per event Id