All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Timeline - Custom Visualization: How to properly graph time as duration?

Toshbar
Explorer
‎07-24-2017 08:52 AM

I'm trying to create a timeline visualization based off of the DATETIME and JOBNAME these two logs:

 DATETIME:   2017-07-11 08:04:06.99 -0700   
 JOBNAME:    CIBI825D   
 MSGTXT:     IEF404I CIBI825D - ENDED - TIME=08.04.06   


 DATETIME:   2017-07-11 06:53:40.50 -0700   
 JOBNAME:    CIBI825D   
 MSGTXT:     IEF403I CIBI825D - STARTED - TIME=06.53.40

I can currently show start/end times as points but I'm unable to graph them as a range of time using the duration_field as noted in the documentation. The below documentation link shows that I'm trying to achieve: Row RFC, blue block

alt text

I'm able to create the timeline visualization with the simple query below to get the start and end point graphed.

index = x MSGTXT = "\*started - time\*" OR "\*ended - time\*"
| regex JOBNAME = "CIBI825D"

| table DATETIME JOBNAME

alt text

The splunk documentation for timeline visualization shows that I need the starttime and duration so here is the query I came up with to get the duration.

index = x MSGTXT = "\*started - time\*" OR "\*ended - time\*"
| regex JOBNAME = "CIBI825D"
| rex field=DATETIME "(?<time>[^\r\n]+)"
| eval time=strptime(time, "%Y-%m-%d %H:%M:%S")
| stats range(time) AS duration BY JOBNAME

| append[search 
index = x  MSGTXT = "*started - time*"
| regex JOBNAME = "CIBI825D"
| rex field=DATETIME "(?<STARTTIME>[^\r\n]+)"
| eval STIME=strptime(STARTTIME, "%Y-%m-%d %H:%M:%S")
    ]

|table STARTTIME JOBNAME duration

Here is the picture of what it looks like. I'm not sure why it isn't working. I tried to convert seconds to milliseconds like the documentation says but that doesn't work as well.

alt text

Also, as a followup question, after this I would like do combine multiple JOBNAMES to show multiple ranges on a single row. Is this possible? If yes, how would I do that?

Preview file
92 KB
Preview file
86 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

niketn
Legend
‎07-25-2017 10:52 AM

@Toshbar, if you have ingested your data with valid timestamp recognition, ideally you should have _time field extracted from pattern DATETIME:

| makeresults
| eval _raw = "DATETIME:     2017-07-11 08:04:06.99 -0700    JOBNAME:     CIBI825D    MSGTXT:     IEF404I CIBI825D - ENDED - TIME=08.04.06"
| eval _time = strptime("2017-07-11 08:04:06.99 -0700","%Y-%m-%d %H:%M:%S")
| append [| makeresults 
          | eval _raw = "DATETIME:     2017-07-11 06:53:40.50 -0700    JOBNAME:     CIBI825D    MSGTXT:     IEF403I CIBI825D - STARTED - TIME=06.53.40 "
          | eval _time = strptime("2017-07-11 06:53:40.50 -0700","%Y-%m-%d %H:%M:%S")]

The above is to generate sample data. Following is to generate required table for plotting duration by Job Name on Timeline custom visualization.

| rex field=_raw "JOBNAME:\s+(?<JOBNAME>\w+)\s+"
| stats min(_time) as _time max(_time) as ENDTIME by JOBNAME
| eval duration=ENDTIME-_time
| table _time JOBNAME duration
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

Reply
Solved! Jump to solution
Solution

niketn
Legend
‎07-25-2017 10:52 AM

@Toshbar, if you have ingested your data with valid timestamp recognition, ideally you should have _time field extracted from pattern DATETIME:

| makeresults
| eval _raw = "DATETIME:     2017-07-11 08:04:06.99 -0700    JOBNAME:     CIBI825D    MSGTXT:     IEF404I CIBI825D - ENDED - TIME=08.04.06"
| eval _time = strptime("2017-07-11 08:04:06.99 -0700","%Y-%m-%d %H:%M:%S")
| append [| makeresults 
          | eval _raw = "DATETIME:     2017-07-11 06:53:40.50 -0700    JOBNAME:     CIBI825D    MSGTXT:     IEF403I CIBI825D - STARTED - TIME=06.53.40 "
          | eval _time = strptime("2017-07-11 06:53:40.50 -0700","%Y-%m-%d %H:%M:%S")]

The above is to generate sample data. Following is to generate required table for plotting duration by Job Name on Timeline custom visualization.

| rex field=_raw "JOBNAME:\s+(?<JOBNAME>\w+)\s+"
| stats min(_time) as _time max(_time) as ENDTIME by JOBNAME
| eval duration=ENDTIME-_time
| table _time JOBNAME duration
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply
Solved! Jump to solution

Toshbar
Explorer
‎08-02-2017 08:46 AM

I forgot to reply. This worked perfectly thank you.

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎08-02-2017 09:01 AM

@Toshbar, glad it worked. Let me convert to answer so that you can accept and mark as answered.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply
Get Updates on the Splunk Community!

CX Day is Coming!

Customer Experience (CX) Day is on October 7th!! We're so excited to bring back another day full of wonderful ...

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

The Big One: Splunk 10 is Here!  The moment many of you have been waiting for has arrived! We are thrilled to ...

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console

Today, we’re excited to announce the release of a brand new AI assistant usage dashboard in Cloud Monitoring ...