Hi,
how can I make a stacked column chart . Currently the Purple area displays how long it took for all processes combined to execute. How could I modify my spl query so that it would display how long each individual process took to complete in a column chart. (A1, A2, A3 - process names)
| rex field=PROCESS_NAME ":(?<Process>[^\"]+)"
| eval finish_time_epoch = strftime(strptime(FINISH_TIME, "%Y-%m-%d %H:%M:%S"),"%Y-%m-%d %H:%M:%S")
| eval start_time_epoch = strftime(strptime(START_TIME, "%Y-%m-%d %H:%M:%S"),"%Y-%m-%d %H:%M:%S")
| eval duration_s = strptime(FINISH_TIME, "%Y-%m-%d %H:%M:%S") - strptime(START_TIME, "%Y-%m-%d %H:%M:%S")
| eval duration_min = round(duration_s / 60, 2)
| chart sum(duration_min) as "time" by G_DT
1 Solution
Hi,
not sure whats the content of your G_DT field but in general you can create a stacked chart like this:
| makeresults count=100
| streamstats count as pid
| eval _time=_time-(pid*3600), duration=random()%300
| timechart span=1d useother=f sum(duration) by pid
