Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Histogram/Chart Question

rebourne
Explorer
‎03-11-2011 09:33 PM

Greetings, I am struggling to create a chart to show when our backups begin and end for each server. The purpose is to show how many over lapping backups are running at a single time so that we can stagger them as not to overload our NAS.

We are indexing messages for backups as such:

When it starts: host=hostname name=backup action=begin
When it ends: host=hostname name=backup action=end

I would like something similar to

Hostname:         Time
Host1:          [======]
Host2:        [=====]
Host3:                     [===]
etc.

That is my vision - a nice simple way to see when backups start/end for each host.

Any help or a point in the right direction would be much appreciated.

Thanks

Reply

dmcguerty
Explorer
‎05-07-2014 02:38 PM

I wanted to do something similar. So very easy to to in HTML - and common. Wonder why this is such a roadblock for Splunk.
Thanks

0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎03-12-2011 01:25 AM

You probably want to combine transaction with concurrency

... | transaction host name startswith=("action=begin") endswith=("action=end") | concurrency duration=duration

This will list your backups, each with an additional field concurrency indicating the number of backups running at the start of that backup

Reply

gkanapathy
Splunk Employee
Splunk Employee
‎03-14-2011 08:44 PM

Oh I see, you want a concurrency chart like Gantt-type chart. Unfortunately, Splunk's charting modules don't display these easily with Splunk's data, and I haven't been able to come up with a good way to make it work. I suppose I'd just file an enhancement request. Note that Splunk's own dbinspect command displays a chart like what you want, but it does some ugly hacking to generate data to fit the display capabilities of the Splunk charting modules.

0 Karma
Reply

rebourne
Explorer
‎03-14-2011 07:37 PM

I do see the duration. However when I graph the duration, it is graphing it as a value, not time. Is there a way to graph the duration over time? For example, action=begin would be at 1am and action=end would be at 2am. I would like to graph between 1am to 2am for host1, whereas host2 would be from 1:30am-2am.

0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎03-14-2011 06:09 PM

the transaction command adds a duration field to each transaction it assembles. Is that not what you need to see? So every transaction group will have _time and duration fields.

0 Karma
Reply

rebourne
Explorer
‎03-14-2011 05:34 PM

Excellent! Thank you! I now have the duration of the events. Is there a way to have the duration show at the time that the event started? I am close with:

... | transaction host name startswith=("action=begin") endswith=("action=end") | concurrency duration=duration | timechart span=10m sum(duration) by host

This gets me close but the duration does not match up with the time. Ideas?

Thank you for your time!

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Brett Adams

In our third Spotlight feature, we're excited to shine a light on Brett—a Splunk consultant, innovative ...

Index This | What can you do to make 55,555 equal 500?

April 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...
Top