Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Chart duration of process over time

gnovak
Builder
‎11-30-2012 09:49 AM

I've been messing with this all morning and still can't get the results I want. Why is this so difficult to achieve?

I have a list of how long it took to load an index for some "users". Like this:

00:15:27    aaa
00:15:07    bbb
00:10:56    ccc
00:29:36    ddd
00:24:13    eee
02:58:51    fff
00:38:33    ggg
00:21:29    hhh
00:17:44    iii

I want to create a bar or line graph for this data spanning over a few days. I'd like to show how much time it took for say "aaa" to load this index over the course of 4 days.

I'm having issues having splunk understand time formats and to display a scale of "time" based on the results, say like every 30 minutes on a chart....Do I have to convert the time to seconds, then back to a readable time for this to happen?

I tried this search. I thought "eh, this is easy!" apparently not:

sourcetype=edr daysago=4 | dedup LoadTime, users | timechart per_day(LoadTime) by users

My results are not what i'm looking for . For example, one of the times is:

00:21:29   hhh

Splunk graphs it as: 

50424.000000   hhh

How can I make a graph of this data for each user across a span of time in a format of time readable???

Tags (1)
0 Karma
Reply

RicoSuave
Builder
‎12-06-2012 12:57 PM

Ok. you need to use convert to convert that field.

http://docs.splunk.com/Documentation/Splunk/5.0/SearchReference/convert

so in yourcase experiment with convert dur2sec(LoadTime) or maybe mstime()

0 Karma
Reply

gnovak
Builder
‎12-19-2012 12:52 PM

I'll try this!

0 Karma
Reply

gnovak
Builder
‎12-06-2012 10:38 AM

anyone have any idea if this is even possible? Would like on the left side of graph to have actual times in a scale of say, 1 hour, 2 hours, 3 hours, etc...

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...