Dashboards & Visualizations

How to only illustrate gaps between two events in a field?

din98
Explorer

index=testindex sourcetype=json source=websource

| timechart span=1h count by JobType


This is my search query to generate a timechart in Splunk. The 'JobType' field has two different values for the field, which are 'Completed' and 'Started'. The timeframe between when a job is Completed and before the next Started event happens, there are no jobs running, so I need to create a new event called 'Not Running' to illustrate when there are no jobs running. However, the time between when a job is Started and a job is Completed needs to be called 'Running' because the time period between these two events is when there are jobs running. I need to visualize these events in a timechart.

Example - there is a job that completes on 01/06/2024 at 17:00 (Completed). The next job starts on 01/06/2024 at 20:00 (Started). In this timeframe between 17:00 and 20:00 on 01/06/2024, it is in a state of 'Not Running'.

I do not want to capture individual jobs. I want to capture all the jobs. The main values I want to illustrate in the timechart is when there are 'Not Running' and 'Running events so basically I want to illustrate the gaps between the 'Started' and 'Completed' events accordingly. I am stuck with this so it would be awesome if I can get some help for this. Thank you.

Labels (6)
Tags (4)
0 Karma

din98
Explorer

@KendallW I tried this but it says 'Error in 'chart' command: The specifier 'duration' is invalid. It must be in form <func>(<field>). For example: max(size).':


| transaction "c49b6a70qw"
| chart duration over _time

0 Karma

KendallW
Contributor

Is "c49b6a70qw" the field name or field value
It needs to be the field name. E.g.  If the field name is "transactionID", then please run the search query exactly as my previous comment.

0 Karma

din98
Explorer

@KendallW"c49b6a70qw" is an example transactionID in the field name "Transaction.ID" that is sent to the index in double quotes.

I tried this search query but got the same error message:

| transaction "Transaction.ID"
| chart duration over _time

0 Karma

KendallW
Contributor

Sorry, try this:

| chart values(duration) over _time

I have also edited my previous comment with this.

0 Karma

din98
Explorer

Hi @KendallW,

Apologies for the late reply. I tried it but still doesn't return the expected outcome.

0 Karma

KendallW
Contributor

Could you please share a screenshot?

0 Karma

KendallW
Contributor

Hi @din98 
the 'duration' field from the transaction command sounds like what you're looking for. Do the jobs each have a unique ID field you could run this on? 

| transaction <ID>


 

0 Karma

din98
Explorer

@KendallW 

That's right. There are multiple transactions and each transaction has a transactionID. Each transaction can have a job type which can be either 'Completed' or 'Started'.

0 Karma

KendallW
Contributor

Try this:

index=testindex sourcetype=json source=websource
| transaction "Transaction.ID"
| chart values(duration) over _time

0 Karma
Get Updates on the Splunk Community!

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

Register Join this Tech Talk to learn how unique features like Service Centric Views, Tag Spotlight, and ...