Dashboards & Visualizations

How do you make a line graph where the y-axis is time, and the x-axis is the name of the event?

alanxu
Communicator

Hello,
I want to create a line graph where the y axis is time and the x axis is the name of the event. How would you create that line graph? An example of the file is..

 2015-05-22 00:5:02,318 INFO Begin Payment 
 2015-05-22 00:10:17,090 INFO Finished Payment

So I wanted on the x axis payment and the y axis the time it took for payment to finish. In this case 5 minutes.

0 Karma
1 Solution

woodcock
Esteemed Legend

Based on this comment of yours:

The "Payment" string is unique

This is the best that can be done:

... | rex "INFO\s+(?<TransactionType>[\S]+)\s+(?<PaymentString>.*)$" | stats earliest(_time) AS start latest(_time) AS stop BY PaymentString | eval duration=stop-start

If you would like to chart it, you can do something like this:

... | rex "INFO\s+(?<TransactionType>[\S]+)\s+(?<PaymentString>.*)$" | eventstats earliest(_time) AS start latest(_time) AS stop BY PaymentString | where TransactionType="Finished" | eval duration=stop-start | timechart span=1h avg(duration)

View solution in original post

woodcock
Esteemed Legend

Based on this comment of yours:

The "Payment" string is unique

This is the best that can be done:

... | rex "INFO\s+(?<TransactionType>[\S]+)\s+(?<PaymentString>.*)$" | stats earliest(_time) AS start latest(_time) AS stop BY PaymentString | eval duration=stop-start

If you would like to chart it, you can do something like this:

... | rex "INFO\s+(?<TransactionType>[\S]+)\s+(?<PaymentString>.*)$" | eventstats earliest(_time) AS start latest(_time) AS stop BY PaymentString | where TransactionType="Finished" | eval duration=stop-start | timechart span=1h avg(duration)

woodcock
Esteemed Legend

Also, check out the answer to this question which I believe is either the same or very related:

http://answers.splunk.com/answers/301060/how-to-create-a-line-graph-in-xml-that-displays-th-1.html

woodcock
Esteemed Legend

Your event examples are woefully inadequate but assuming you have fields like AccountNumber and PaymentAmount, then do it like this:

... | rex "INFO\s+(?<TransactionType>.*) | eventstats earliest(_time) AS start latest(_time) AS stop BY PaymentAmount AccountNumber TransactionType | eval start=if(TransactionType="Begin Payment",start,null()) | eval stop=if(TransactionType="Begin Payment",null(),stop) | stats first(start) AS start first(stop) AS stop BY PaymentAmount AccountNumber | eval duration=stop-start | chart avg(duration) BY PaymentAmount

This may not be exactly the view that you desire but you should be able to tweak it from there

jeffland
SplunkTrust
SplunkTrust

Do your payments have an id you could use to distinguish them? Then you could split your x-axis along these ids.

0 Karma

alanxu
Communicator

No they do not.

0 Karma

jeffland
SplunkTrust
SplunkTrust

Then I'm afraid what you ask for is not possible. What you have is just individual "begin" and "end" events, how would you ever find out which two belong together? Or is there no concurrency?

0 Karma

alanxu
Communicator

The "Payment" string is unique

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...