Solved: Re: How to chart job ending time - Time on Y Axis ...

sjringo · ‎02-14-2023

If I am starting with this query:

index=anIndex sourcetype=aSourcetype ( aJobName AND "COMPLETED OK" )

The job im intereted in runs once perday.

I would like completion time on the Y Axis and the day on the X axis.

I found this previous piece of code but am not sure how to adapt to my query results ?

| eval _time=strptime(timestamp,"%F %T.%Q")
| eval t=split(substr(timestamp, 12, 8),":")
| eval h=mvindex(t,0), m=mvindex(t,1), s=mvindex(t,2)
| eval v=(h)+(m/100)
| bin _time span=1d
| chart max(v) over _time by job

bowesmana · ‎02-14-2023

So, if the _time field in the COMPLETED OK event is the end time of your job, then if you want to display the time of day as the Y-axis, then you can do

| eval t=split(strftime(_time, "%H:%M:%S"), ":")
| eval h=mvindex(t,0), m=mvindex(t,1), s=mvindex(t,2)
| eval v=(h)+(m/100)
| bin _time span=1d
| chart max(v) over _time by job

where job is a field name with the job name

It will give you a y-axis value of hours + decimal value of minutes. i.e. 9:48 will be 9.48

View solution in original post

bowesmana · ‎02-14-2023

So, if the _time field in the COMPLETED OK event is the end time of your job, then if you want to display the time of day as the Y-axis, then you can do

| eval t=split(strftime(_time, "%H:%M:%S"), ":")
| eval h=mvindex(t,0), m=mvindex(t,1), s=mvindex(t,2)
| eval v=(h)+(m/100)
| bin _time span=1d
| chart max(v) over _time by job

where job is a field name with the job name

It will give you a y-axis value of hours + decimal value of minutes. i.e. 9:48 will be 9.48

How to chart job ending time - Time on Y Axis / Day on X Axis ?

chart

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms