Solved: Re: Charting completion time on daily basis

nomad1981 · ‎10-05-2020

Hi,

I'm trying to build a line graph that would show me the completion time of an event on a daily basis. The completion time is in the timestamp field. The y axis should display the time of completion and the x axis the date

Example:

timestamp="2020-10-03 00:48:48.0" statusText="SUCCESS" "JOB1"

timestamp="2020-10-01 21:45:22.0" statusText="SUCCESS" "JOB1"

timestamp="2020-09-31 21:44:22.0" statusText="SUCCESS" "JOB1"

timestamp="2020-09-30 22:48:48.0" statusText="SUCCESS" "JOB1"

timestamp="2020-09-29 00:48:48.0" statusText="SUCCESS" "JOB1"

Can anyone please advise what is the best way to do this?

bowesmana · ‎10-05-2020

You cannot display time as such on the Y axis, but you can do this, where you are creating a decimal value of time

| makeresults
| eval _raw="timestamp=\"2020-10-03 00:48:48.0\" statusText=\"SUCCESS\" job=\"JOB1\";
timestamp=\"2020-10-01 21:45:22.0\" statusText=\"SUCCESS\" job=\"JOB1\";
timestamp=\"2020-09-30 21:44:22.0\" statusText=\"SUCCESS\" job=\"JOB1\";
timestamp=\"2020-09-29 22:48:48.0\" statusText=\"SUCCESS\" job=\"JOB1\";
timestamp=\"2020-09-28 00:48:48.0\" statusText=\"SUCCESS\" job=\"JOB1\""
| eval x=split(_raw,";")
| mvexpand x
| rename x as _raw
| extract
| fields - _raw
| eval _time=strptime(timestamp,"%F %T.%Q")
| eval t=split(substr(timestamp, 12, 8),":")
| eval h=mvindex(t,0), m=mvindex(t,1), s=mvindex(t,2)
| eval v=(h)+(m/100)
| bin _time span=1d
| chart max(v) over _time by job

What you want is from after the fields - _raw line

It creates the Y axis as hours + minutes / 100, so 10:48 will look like 10.48

Hope this is useful.

View solution in original post

bowesmana · ‎10-05-2020

You cannot display time as such on the Y axis, but you can do this, where you are creating a decimal value of time

| makeresults
| eval _raw="timestamp=\"2020-10-03 00:48:48.0\" statusText=\"SUCCESS\" job=\"JOB1\";
timestamp=\"2020-10-01 21:45:22.0\" statusText=\"SUCCESS\" job=\"JOB1\";
timestamp=\"2020-09-30 21:44:22.0\" statusText=\"SUCCESS\" job=\"JOB1\";
timestamp=\"2020-09-29 22:48:48.0\" statusText=\"SUCCESS\" job=\"JOB1\";
timestamp=\"2020-09-28 00:48:48.0\" statusText=\"SUCCESS\" job=\"JOB1\""
| eval x=split(_raw,";")
| mvexpand x
| rename x as _raw
| extract
| fields - _raw
| eval _time=strptime(timestamp,"%F %T.%Q")
| eval t=split(substr(timestamp, 12, 8),":")
| eval h=mvindex(t,0), m=mvindex(t,1), s=mvindex(t,2)
| eval v=(h)+(m/100)
| bin _time span=1d
| chart max(v) over _time by job

What you want is from after the fields - _raw line

It creates the Y axis as hours + minutes / 100, so 10:48 will look like 10.48

Hope this is useful.

sjringo · ‎02-14-2023

Hi, I am trying to adapt this solution to a query that I have that returns job ending times.

If I am starting with this query:

index=anIndex sourcetype=aSourcetype ( aJobName AND "COMPLETED OK" )

From this query I get a list of events.

How can this solution be used to graph my events ?

bowesmana · ‎02-14-2023

It's best to open a new question rather than take a different tack to an old one, it makes it easier for others to see the new one, so you'll get the best help.

Charting completion time on daily basis

chart

timechart

Splunk Observability for AI

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Splunk Observability as Code: From Zero to Dashboard

Are you a member of the Splunk Community?