Dashboards & Visualizations

How do you make a line graph where the y-axis is time, and the x-axis is the name of the event?

alanxu
Communicator

Hello,
I want to create a line graph where the y axis is time and the x axis is the name of the event. How would you create that line graph? An example of the file is..

 2015-05-22 00:5:02,318 INFO Begin Payment 
 2015-05-22 00:10:17,090 INFO Finished Payment

So I wanted on the x axis payment and the y axis the time it took for payment to finish. In this case 5 minutes.

0 Karma
1 Solution

woodcock
Esteemed Legend

Based on this comment of yours:

The "Payment" string is unique

This is the best that can be done:

... | rex "INFO\s+(?<TransactionType>[\S]+)\s+(?<PaymentString>.*)$" | stats earliest(_time) AS start latest(_time) AS stop BY PaymentString | eval duration=stop-start

If you would like to chart it, you can do something like this:

... | rex "INFO\s+(?<TransactionType>[\S]+)\s+(?<PaymentString>.*)$" | eventstats earliest(_time) AS start latest(_time) AS stop BY PaymentString | where TransactionType="Finished" | eval duration=stop-start | timechart span=1h avg(duration)

View solution in original post

woodcock
Esteemed Legend

Based on this comment of yours:

The "Payment" string is unique

This is the best that can be done:

... | rex "INFO\s+(?<TransactionType>[\S]+)\s+(?<PaymentString>.*)$" | stats earliest(_time) AS start latest(_time) AS stop BY PaymentString | eval duration=stop-start

If you would like to chart it, you can do something like this:

... | rex "INFO\s+(?<TransactionType>[\S]+)\s+(?<PaymentString>.*)$" | eventstats earliest(_time) AS start latest(_time) AS stop BY PaymentString | where TransactionType="Finished" | eval duration=stop-start | timechart span=1h avg(duration)

woodcock
Esteemed Legend

Also, check out the answer to this question which I believe is either the same or very related:

http://answers.splunk.com/answers/301060/how-to-create-a-line-graph-in-xml-that-displays-th-1.html

woodcock
Esteemed Legend

Your event examples are woefully inadequate but assuming you have fields like AccountNumber and PaymentAmount, then do it like this:

... | rex "INFO\s+(?<TransactionType>.*) | eventstats earliest(_time) AS start latest(_time) AS stop BY PaymentAmount AccountNumber TransactionType | eval start=if(TransactionType="Begin Payment",start,null()) | eval stop=if(TransactionType="Begin Payment",null(),stop) | stats first(start) AS start first(stop) AS stop BY PaymentAmount AccountNumber | eval duration=stop-start | chart avg(duration) BY PaymentAmount

This may not be exactly the view that you desire but you should be able to tweak it from there

jeffland
Champion

Do your payments have an id you could use to distinguish them? Then you could split your x-axis along these ids.

0 Karma

alanxu
Communicator

No they do not.

0 Karma

jeffland
Champion

Then I'm afraid what you ask for is not possible. What you have is just individual "begin" and "end" events, how would you ever find out which two belong together? Or is there no concurrency?

0 Karma

alanxu
Communicator

The "Payment" string is unique

0 Karma
Get Updates on the Splunk Community!

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...

New Learning Videos on Topics Most Requested by You! Plus This Month’s New Splunk ...

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

How I Instrumented a Rust Application Without Knowing Rust

As a technical writer, I often have to edit or create code snippets for Splunk's distributions of ...