index=testindex sourcetype=json source=websource
| timechart span=1h count by JobType
This is my search query to generate a timechart in Splunk. The 'JobType' field has two different values for the field, which are 'Completed' and 'Started'. The timeframe between when a job is Completed and before the next Started event happens, there are no jobs running, so I need to create a new event called 'Not Running' to illustrate when there are no jobs running. However, the time between when a job is Started and a job is Completed needs to be called 'Running' because the time period between these two events is when there are jobs running. I need to visualize these events in a timechart.
Example - there is a job that completes on 01/06/2024 at 17:00 (Completed). The next job starts on 01/06/2024 at 20:00 (Started). In this timeframe between 17:00 and 20:00 on 01/06/2024, it is in a state of 'Not Running'.
I do not want to capture individual jobs. I want to capture all the jobs. The main values I want to illustrate in the timechart is when there are 'Not Running' and 'Running events so basically I want to illustrate the gaps between the 'Started' and 'Completed' events accordingly. I am stuck with this so it would be awesome if I can get some help for this. Thank you.
@KendallW I tried this but it says 'Error in 'chart' command: The specifier 'duration' is invalid. It must be in form <func>(<field>). For example: max(size).':
| transaction "c49b6a70qw"
| chart duration over _time
Is "c49b6a70qw" the field name or field value?
It needs to be the field name. E.g. If the field name is "transactionID", then please run the search query exactly as my previous comment.
@KendallW"c49b6a70qw" is an example transactionID in the field name "Transaction.ID" that is sent to the index in double quotes.
I tried this search query but got the same error message:
| transaction "Transaction.ID"
| chart duration over _time
Sorry, try this:
| chart values(duration) over _time
I have also edited my previous comment with this.
Hi @KendallW,
Apologies for the late reply. I tried it but still doesn't return the expected outcome.
Could you please share a screenshot?
Hi @din98
the 'duration' field from the transaction command sounds like what you're looking for. Do the jobs each have a unique ID field you could run this on?
| transaction <ID>
@KendallW
That's right. There are multiple transactions and each transaction has a transactionID. Each transaction can have a job type which can be either 'Completed' or 'Started'.
Try this:
index=testindex sourcetype=json source=websource
| transaction "Transaction.ID"
| chart values(duration) over _time