How to only illustrate gaps between two events in ...

din98 · ‎06-02-2024

index=testindex sourcetype=json source=websource

| timechart span=1h count by JobType

This is my search query to generate a timechart in Splunk. The 'JobType' field has two different values for the field, which are 'Completed' and 'Started'. The timeframe between when a job is Completed and before the next Started event happens, there are no jobs running, so I need to create a new event called 'Not Running' to illustrate when there are no jobs running. However, the time between when a job is Started and a job is Completed needs to be called 'Running' because the time period between these two events is when there are jobs running. I need to visualize these events in a timechart.

Example - there is a job that completes on 01/06/2024 at 17:00 (Completed). The next job starts on 01/06/2024 at 20:00 (Started). In this timeframe between 17:00 and 20:00 on 01/06/2024, it is in a state of 'Not Running'.

I do not want to capture individual jobs. I want to capture all the jobs. The main values I want to illustrate in the timechart is when there are 'Not Running' and 'Running events so basically I want to illustrate the gaps between the 'Started' and 'Completed' events accordingly. I am stuck with this so it would be awesome if I can get some help for this. Thank you.

din98 · ‎06-02-2024

@KendallW I tried this but it says 'Error in 'chart' command: The specifier 'duration' is invalid. It must be in form <func>(<field>). For example: max(size).':

| transaction "c49b6a70qw"
| chart duration over _time

KendallW · ‎06-02-2024

Is "c49b6a70qw" the field name or field value?
It needs to be the field name. E.g. If the field name is "transactionID", then please run the search query exactly as my previous comment.

din98 · ‎06-02-2024

@KendallW"c49b6a70qw" is an example transactionID in the field name "Transaction.ID" that is sent to the index in double quotes.

I tried this search query but got the same error message:

| transaction "Transaction.ID"
| chart duration over _time

KendallW · ‎06-02-2024

Sorry, try this:

| chart values(duration) over _time

I have also edited my previous comment with this.

din98 · ‎06-16-2024

Hi @KendallW,

Apologies for the late reply. I tried it but still doesn't return the expected outcome.

KendallW · ‎06-17-2024

Could you please share a screenshot?

KendallW · ‎06-02-2024

Hi @din98
the 'duration' field from the transaction command sounds like what you're looking for. Do the jobs each have a unique ID field you could run this on?

| transaction <ID>

din98 · ‎06-02-2024

@KendallW

That's right. There are multiple transactions and each transaction has a transactionID. Each transaction can have a job type which can be either 'Completed' or 'Started'.

KendallW · ‎06-02-2024

Try this:

index=testindex sourcetype=json source=websource
| transaction "Transaction.ID"
| chart values(duration) over _time

How to only illustrate gaps between two events in a field?

Dashboard Studio

form

panel

table

timechart

Can’t make it to .conf25? Join us online!

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Unlock What’s Next: The Splunk Cloud Platform at .conf25

Index This | How many sevens are there between 1 and 100?

Are you a member of the Splunk Community?

How to only illustrate gaps between two events in a field?

Can’t make it to .conf25? Join us online!