https://community.splunk.com/t5/Splunk-Search/Swimlanes-in-Splunk-Enterprise/m-p/222900#M65557 <P>Which splunk version are you using? Have you looked at the <A href="https://splunkbase.splunk.com/app/3120/">timeline app</A>? This might simplify your view. Just a thought.</P> Tue, 21 Jun 2016 14:46:52 GMT sundareshr 2016-06-21T14:46:52Z https://community.splunk.com/t5/Splunk-Search/Swimlanes-in-Splunk-Enterprise/m-p/222899#M65556 <P>Hello,</P> <P>My business requirement is to have a view that shows the number of batch jobs on the Y-axis and the Time (in hour) on the X-axis. The rows events I have is looks something like below:</P> <PRE><CODE>2016-06-20T12:01:46.000 JOB_ID=1 JOB_START_TIME=1466438400.000 JOB_END_TIME=1466442106.714 JOB_NAME=Hello_job </CODE></PRE> <P>For this event, _time is based on when the row is inserted to the database table which gets updated once the job finishes executing. From this event, what I need to do is:</P> <P>1) Grab the start time and the end time<BR /> 2) Divide the difference between start time and end time by hours<BR /> 3) Tag the event with the hours <BR /> 4) Increment a count for each of those hours for this job</P> <P>There are multiple jobs running the system, so I might need to find the min or start times and max of end times to find out the entire range.</P> <P>If I select for yesterday's time in the dashboard (_time), then it should show me all the jobs that had completed yesterday with a swim lane of number of jobs executing at a given hour. </P> <P>Example:</P> <PRE><CODE>_time Job ID Job_Start_time Job_End_time 6/16/2016 1:30 AM Job 1 6/15/2016 11:00 PM 6/16/2016 1:20 AM 6/16/2016 3:55 AM Job 2 6/16/2016 1:00 AM 6/16/2016 3:50 AM 6/16/2016 3:56 AM Job 3 6/16/2016 2:00 AM 6/16/2016 3:55 AM 6/16/2016 4:12 AM Job 3 6/16/2016 3:20 AM 6/16/2016 4:10 AM </CODE></PRE> <P>The chart should be like following:</P> <PRE><CODE>Job1 | 1 1 0 0 0 Job2 | 0 1 1 1 1 Job3 | 0 0 1 2 1 ------------------------------------------- hrs== 12 1 2 3 4 </CODE></PRE> <P>Note that there were total of two Job3 executing between 3 AM to 4 AM timeframe which shows up in the chart. </P> <P>I guess it's hard to explain, but let me know if you have any questions to solve this puzzle<BR /> Appreciate your help.</P> Mon, 20 Jun 2016 20:31:32 GMT https://community.splunk.com/t5/Splunk-Search/Swimlanes-in-Splunk-Enterprise/m-p/222899#M65556 ash2l 2016-06-20T20:31:32Z https://community.splunk.com/t5/Splunk-Search/Swimlanes-in-Splunk-Enterprise/m-p/222900#M65557 <P>Which splunk version are you using? Have you looked at the <A href="https://splunkbase.splunk.com/app/3120/">timeline app</A>? This might simplify your view. Just a thought.</P> Tue, 21 Jun 2016 14:46:52 GMT https://community.splunk.com/t5/Splunk-Search/Swimlanes-in-Splunk-Enterprise/m-p/222900#M65557 sundareshr 2016-06-21T14:46:52Z https://community.splunk.com/t5/Splunk-Search/Swimlanes-in-Splunk-Enterprise/m-p/222901#M65558 <P>That's exactly what I need :). Unfortunately we are still on 6.3, is there any way to create a search query of whatever is done behind the scene for that app?</P> Tue, 21 Jun 2016 16:33:11 GMT https://community.splunk.com/t5/Splunk-Search/Swimlanes-in-Splunk-Enterprise/m-p/222901#M65558 ash2l 2016-06-21T16:33:11Z https://community.splunk.com/t5/Splunk-Search/Swimlanes-in-Splunk-Enterprise/m-p/222902#M65559 <P>Found my answer looking at <A href="https://answers.splunk.com/answers/82161/plot-up-or-down-state-over-time.html">https://answers.splunk.com/answers/82161/plot-up-or-down-state-over-time.html</A> post</P> Wed, 29 Jun 2016 14:56:13 GMT https://community.splunk.com/t5/Splunk-Search/Swimlanes-in-Splunk-Enterprise/m-p/222902#M65559 ash2l 2016-06-29T14:56:13Z