Splunk Search

Charting Transactions



I am trying to build a graphical representation of a set of transactions by type. Ideally I am looking for a Gantt representation.
Ex Log:

2013-289-19:00:00 type=1 active
2013-289-19:01:00 type=1 terminated
2013-289-19:20:00 type=1 active
2013-289-19:21:00 type=2 active
2013-289-19:23:00 type=2 terminated
2013-289-19:30:00 type=1 terminated

Search So far:

…|transaction type | eval prestart=_time-1 | eval start=_time | eval stop=_time+duration | eval poststop=stop+1 | … build xyseries with active time = 1 in y series??? … | timechart ??? by type

Being that there is no Gantt chart I was just planning on building a xyseries and plotting a 1 when the event is occurring and a 0 when it isn’t. I intended on formatting the stacked area chart with missing values set to connect. Unfortunately I am too new to the search language to get things to work like I want them to. Any ideas on how to proceed?


Tags (2)



Ok, so this is a long one, and I'm about to leave work. Drop this into a search, change the visualizations to "Stacked Columns" and let me know how it goes. I'd recommend doing this over small frame and going from there.

YOUR_SEARCH_FOR_EVENTS |transaction type startswith=active endswith=terminated maxspan=10s |streamstats count as evt_id | eval earliest=min(_time) | eval latest=earliest+duration| convert ctime(earliest) as et timeformat="%m/%d/%Y:%H:%M:%S" | convert ctime(latest) as lt timeformat="%m/%d/%Y:%H:%M:%S" | map search="|gentimes start=$et$ end=$lt$ increment=5s | eval evt_id=$evt_id$ | eval type=$type$ | eval Present=1 |eval _time = starttime |fields - end* start* "|fields _time Present type evt_id |bin _time span=5s | timechart span=30s avg(Present) by type