All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Timeline - Custom Visualization: How to properly graph time as duration?

Toshbar
Explorer
‎07-24-2017 08:52 AM

I'm trying to create a timeline visualization based off of the DATETIME and JOBNAME these two logs:

 DATETIME:   2017-07-11 08:04:06.99 -0700   
 JOBNAME:    CIBI825D   
 MSGTXT:     IEF404I CIBI825D - ENDED - TIME=08.04.06   


 DATETIME:   2017-07-11 06:53:40.50 -0700   
 JOBNAME:    CIBI825D   
 MSGTXT:     IEF403I CIBI825D - STARTED - TIME=06.53.40

I can currently show start/end times as points but I'm unable to graph them as a range of time using the duration_field as noted in the documentation. The below documentation link shows that I'm trying to achieve: Row RFC, blue block

alt text

I'm able to create the timeline visualization with the simple query below to get the start and end point graphed.

index = x MSGTXT = "\*started - time\*" OR "\*ended - time\*"
| regex JOBNAME = "CIBI825D"

| table DATETIME JOBNAME

alt text

The splunk documentation for timeline visualization shows that I need the starttime and duration so here is the query I came up with to get the duration.

index = x MSGTXT = "\*started - time\*" OR "\*ended - time\*"
| regex JOBNAME = "CIBI825D"
| rex field=DATETIME "(?<time>[^\r\n]+)"
| eval time=strptime(time, "%Y-%m-%d %H:%M:%S")
| stats range(time) AS duration BY JOBNAME

| append[search 
index = x  MSGTXT = "*started - time*"
| regex JOBNAME = "CIBI825D"
| rex field=DATETIME "(?<STARTTIME>[^\r\n]+)"
| eval STIME=strptime(STARTTIME, "%Y-%m-%d %H:%M:%S")
    ]

|table STARTTIME JOBNAME duration

Here is the picture of what it looks like. I'm not sure why it isn't working. I tried to convert seconds to milliseconds like the documentation says but that doesn't work as well.

alt text

Also, as a followup question, after this I would like do combine multiple JOBNAMES to show multiple ranges on a single row. Is this possible? If yes, how would I do that?

Preview file
92 KB
Preview file
86 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

niketn
Legend
‎07-25-2017 10:52 AM

@Toshbar, if you have ingested your data with valid timestamp recognition, ideally you should have _time field extracted from pattern DATETIME:

| makeresults
| eval _raw = "DATETIME:     2017-07-11 08:04:06.99 -0700    JOBNAME:     CIBI825D    MSGTXT:     IEF404I CIBI825D - ENDED - TIME=08.04.06"
| eval _time = strptime("2017-07-11 08:04:06.99 -0700","%Y-%m-%d %H:%M:%S")
| append [| makeresults 
          | eval _raw = "DATETIME:     2017-07-11 06:53:40.50 -0700    JOBNAME:     CIBI825D    MSGTXT:     IEF403I CIBI825D - STARTED - TIME=06.53.40 "
          | eval _time = strptime("2017-07-11 06:53:40.50 -0700","%Y-%m-%d %H:%M:%S")]

The above is to generate sample data. Following is to generate required table for plotting duration by Job Name on Timeline custom visualization.

| rex field=_raw "JOBNAME:\s+(?<JOBNAME>\w+)\s+"
| stats min(_time) as _time max(_time) as ENDTIME by JOBNAME
| eval duration=ENDTIME-_time
| table _time JOBNAME duration
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

Reply
Solved! Jump to solution
Solution

niketn
Legend
‎07-25-2017 10:52 AM

@Toshbar, if you have ingested your data with valid timestamp recognition, ideally you should have _time field extracted from pattern DATETIME:

| makeresults
| eval _raw = "DATETIME:     2017-07-11 08:04:06.99 -0700    JOBNAME:     CIBI825D    MSGTXT:     IEF404I CIBI825D - ENDED - TIME=08.04.06"
| eval _time = strptime("2017-07-11 08:04:06.99 -0700","%Y-%m-%d %H:%M:%S")
| append [| makeresults 
          | eval _raw = "DATETIME:     2017-07-11 06:53:40.50 -0700    JOBNAME:     CIBI825D    MSGTXT:     IEF403I CIBI825D - STARTED - TIME=06.53.40 "
          | eval _time = strptime("2017-07-11 06:53:40.50 -0700","%Y-%m-%d %H:%M:%S")]

The above is to generate sample data. Following is to generate required table for plotting duration by Job Name on Timeline custom visualization.

| rex field=_raw "JOBNAME:\s+(?<JOBNAME>\w+)\s+"
| stats min(_time) as _time max(_time) as ENDTIME by JOBNAME
| eval duration=ENDTIME-_time
| table _time JOBNAME duration
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply
Solved! Jump to solution

Toshbar
Explorer
‎08-02-2017 08:46 AM

I forgot to reply. This worked perfectly thank you.

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎08-02-2017 09:01 AM

@Toshbar, glad it worked. Let me convert to answer so that you can accept and mark as answered.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...