Create a graph with time fields different than eve...

edrivera3 · ‎05-01-2015

Hi
In my events I have the following fields:
1. Initialtime (This is different than event's timestamp) (format=string)
2. Endtime (This is different than event's timestamp) (format=string)
3. Process Name (format=string)

I am interested to create a graph which has time in x-axis and process names in y-axis. I want to show the multiple processes and duration time of each of them in the graph. I am not sure if this possible.

I already strptime() both time fields so now I can manipulate them.

If this is not possible. Is there a way to get something similar with a different graph. I want to see the duration of each of the process simultaneously and see if they overlap during some period of time.

edrivera3 · ‎05-01-2015

This is what I have already:
(Both time fields are multivalue fields so I am only interested in the minimum value of initime and maximum value of endtime.)

...| eval inistamp=strptime(initime,"%b %d %H:%M:%S %Y") | eval endstamp=strptime(endtime,"%b %d %H:%M:%S %Y") | stats max(endstamp) AS high min(inistamp) AS low by process_name| eval duration = high - low

So basically I also have the duration time of process_name

stephane_cyrill · ‎05-01-2015

try this:
..........|stats .......................over yourField

edrivera3 · ‎05-01-2015

I do not understand your answer. Could you explain how your answer could help me?

Create a graph with time fields different than event's timestamp

Re: Create a graph with time fields different than event's timestamp

Re: Create a graph with time fields different than event's timestamp

Re: Create a graph with time fields different than event's timestamp