Archive

query to chart total duration by Jobname daily for over a period of time

Explorer

I wrote the belong query to chart total duration by Jobname daily for over a period of time
the results comes up with 1 day only.
any help is much appreciated.

index="dnr_ecc"  jobname="*IC*HV_TREX" | bucket _time span=1d | stats max(total_run_time) by jobname
Tags (1)
0 Karma

Esteemed Legend

What is wrong with this:

index="dnr_ecc" jobname="*IC*HV_TREX"
| timechart span=1d max(total_run_time) BY jobname
0 Karma

SplunkTrust
SplunkTrust

Your stats command is not doing aggregation based on _time, hence it's giving for overall period, instead of each day. Try like this

index="dnr_ecc"  jobname="*IC*HV_TREX" | bucket _time span=1d | stats max(total_run_time) by _time jobname

Other variations that you can try are

index="dnr_ecc"  jobname="*IC*HV_TREX" | timechart span=1d max(total_run_time) by jobname

index="dnr_ecc"  jobname="*IC*HV_TREX" | eval date=strftime(_time,"%m/%d/%Y") | chart max(total_run_time) by jobname date

Explorer

The query I wrote:

  index="dnr_ecc" jobname="*IC*HV_TREX" |
    bucket _time span=1d | dedup jobname jobcount sortby -_time |
    chart max(total_run_time) over _time by jobname
0 Karma