Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to create a timechart of events with start and end times, but graph the entire window of time in between, not just start and end data points?

GeorgeStarkey
Path Finder
‎11-18-2015 03:49 PM

I have a data set that contains start and end times of events. These events signify 'significant events' in our infrastructure. I want to be able to display this as a chart and fill in the gap between the start and end in the event.

for instance the data looks like this:

{"tags":[{"entry_time":"2015-11-18 15:46:35"},{"end_date": "2014-07-10 16:30:00", "start_date": "2014-07-10 16:00:00", "sys_updated_on": "2014-08-14 01:15:33"}]}
{"tags":[{"entry_time":"2015-11-18 15:46:35"},{"end_date": "2014-04-17 20:00:00", "start_date": "2014-04-17 16:00:00", "sys_updated_on": "2014-08-14 01:15:33"}]}
{"tags":[{"entry_time":"2015-11-18 15:46:35"},{"end_date": "2014-04-28 17:30:00", "start_date": "2014-04-28 17:00:00", "sys_updated_on": "2014-08-14 01:15:33"}]}
{"tags":[{"entry_time":"2015-11-18 15:46:35"},{"end_date": "2014-05-15 16:30:00", "start_date": "2014-05-15 16:00:00", "sys_updated_on": "2014-08-14 01:15:33"}]}
{"tags":[{"entry_time":"2015-11-18 15:46:35"},{"end_date": "2014-05-26 07:00:00", "start_date": "2014-04-17 07:00:00", "sys_updated_on": "2014-08-14 01:15:33"}]}
{"tags":[{"entry_time":"2015-11-18 15:46:35"},{"end_date": "2014-05-22 16:30:00", "start_date": "2014-05-22 16:00:00", "sys_updated_on": "2014-08-14 01:15:33"}]}
{"tags":[{"entry_time":"2015-11-18 15:46:35"},{"end_date": "2014-05-26 19:00:00", "start_date": "2014-04-18 06:55:00", "sys_updated_on": "2014-08-14 01:15:33"}]}
{"tags":[{"entry_time":"2015-11-18 15:46:35"},{"end_date": "2014-05-22 16:30:00", "start_date": "2014-05-22 16:00:00", "sys_updated_on": "2014-08-14 01:15:33"}]}

I want to be able to do a timechart that will graph the entire window between start and end, not just points of start and end.

0 Karma
Reply

woodcock
Esteemed Legend
‎11-21-2015 10:32 AM

If I understand you correctly, like this:

SearchStringForSignificantEventsHere | eval serial=_serial | eval epochStart=strptime(start_date, "%Y-%m-%d %H:%M:%S") | eval epochEnd=strptime(end_date, "%Y-%m-%d %H:%M:%S") | map search="search earliest=$epochStart$ latest=$epochEnd$ SearchStringForOtherStuffHere | timechart span=1m count by $serial$"

This takes each event from the list in your original post and passes serial (row number of each event in the outer search), epochStart and epochEnd and runs another search to timechart events bounded by and aggregated against these 3 parameters.

Reply

GeorgeStarkey
Path Finder
‎11-24-2015 11:46 AM

Thanks, I will see if this can get me what I am looking for. The _serial field can come in handy!

0 Karma
Reply

woodcock
Esteemed Legend
‎11-25-2015 08:09 AM

So did this work for you?

0 Karma
Reply

GeorgeStarkey
Path Finder
‎11-30-2015 11:16 AM

This isn't quite what I was looking for. I want to chart all of the events however when looking at a timeline I need each one to 'fill' between the start and end time.

It looks like this solution is good for setting the search windows, but I need all of the events graphed, I am looking for a solution that fills any bucket that falls between the start and end with a true evaluation.

That way I can build a timechart that has proper total of any positive events during the timeframes.

0 Karma
Reply

woodcock
Esteemed Legend
‎12-01-2015 06:39 AM

You have said the same think a couple of times. Will you show what this search is producing and how it is inadequate, perhaps with a mockup based on the first output? I do not at all understand what you are saying.

0 Karma
Reply

Richfez
SplunkTrust
SplunkTrust
‎11-21-2015 06:34 PM

@woodcock,

I did not know about that _serial field, that's a handy thing to know.

Reply

woodcock
Esteemed Legend
‎11-21-2015 07:18 PM

I felt the same way when I discovered it here!

Reply

sundareshr
Legend
‎11-18-2015 07:50 PM

In the timechart command, there is a cont option, have you looked at that?

http://docs.splunk.com/Documentation/Splunk/6.3.1/SearchReference/Timechart

0 Karma
Reply

GeorgeStarkey
Path Finder
‎11-19-2015 09:24 AM

I don't want to fill in time gaps, I want to be able to mark as true any time that lands within the start and end points in the events.

Thanks for the hint though. It will come in useful in a separate place

0 Karma
Reply
Get Updates on the Splunk Community!

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...