query to chart total duration by Jobname daily f...

sjafferali · ‎04-20-2018

I wrote the belong query to chart total duration by Jobname daily for over a period of time
the results comes up with 1 day only.
any help is much appreciated.

index="dnr_ecc"  jobname="*IC*HV_TREX" | bucket _time span=1d | stats max(total_run_time) by jobname

woodcock · ‎04-20-2018

What is wrong with this:

index="dnr_ecc" jobname="*IC*HV_TREX"
| timechart span=1d max(total_run_time) BY jobname

somesoni2 · ‎04-20-2018

Your stats command is not doing aggregation based on _time, hence it's giving for overall period, instead of each day. Try like this

index="dnr_ecc"  jobname="*IC*HV_TREX" | bucket _time span=1d | stats max(total_run_time) by _time jobname

Other variations that you can try are

index="dnr_ecc"  jobname="*IC*HV_TREX" | timechart span=1d max(total_run_time) by jobname

index="dnr_ecc"  jobname="*IC*HV_TREX" | eval date=strftime(_time,"%m/%d/%Y") | chart max(total_run_time) by jobname date

sjafferali · ‎04-20-2018

The query I wrote:

  index="dnr_ecc" jobname="*IC*HV_TREX" |
    bucket _time span=1d | dedup jobname jobcount sortby -_time |
    chart max(total_run_time) over _time by jobname

query to chart total duration by Jobname daily for over a period of time

Fun with Regular Expression - multiples of nine

[Live Demo] Watch SOC transformation in action with the reimagined Splunk Enterprise ...

What’s New & Next in Splunk SOAR

Are you a member of the Splunk Community?

query to chart total duration by Jobname daily for over a period of time

Fun with Regular Expression - multiples of nine

[Live Demo] Watch SOC transformation in action with the reimagined Splunk Enterprise ...

What’s New & Next in Splunk SOAR