Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to display duration(start and end time) in a column chart?

mythili
Explorer
‎09-11-2024 09:38 PM

Hi all, 

I am trying to show the connected duration, which is calculated using transaction command in a timechart. When I try below query, the entire duration shows in the earliest timestamp(start time) as a single column. I would like to show the connected duration in a column chart, with area between start and end time colored.  For example, if device was connected from 20th August to 23rd August, I want the column to extend across these days. Currently, the entire duration is shown on the 20th date alone. Kindly let me know your suggestions to implement this.

Query:

| transaction dvc_id startswith="CONNECTED" endswith="DISCONNECTED"
| timechart sum(duration) by connection_protocol



Labels (4)
Labels
Preview file
15 KB
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎09-11-2024 11:21 PM

You need to look for a different visualization. Bar chart, line chart and such are meant for showing discrete values, not time ranges.

For starters - you can check out this app https://splunkbase.splunk.com/app/3120 (I'm not saying that's what fits your use case but that's at least one possible approach).

0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎09-11-2024 11:10 PM

What you ask is effectively a Gantt chart visualization that Splunk search and dashboard doesn't support natively.  Checkout this viz app: https://splunkbase.splunk.com/app/3120.

(Years ago I got some help here for similar - a lot of filldown and stuff.  Using a prebuilt app is perhaps the best way to go for now.)

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-11-2024 11:09 PM

Hi @mythili ,

to acquire your requirement it isn't possible with the default visualizations, but you could try with the Splunk Timeline - custom visualization (https://splunkbase.splunk.com/app/3120) add-on, following the instructions about how to create your search.

Ciao.

Giuseppe

0 Karma
Reply

norbertomyrna
New Member
‎09-11-2024 10:05 PM

hey there!!

0 Karma
Reply

norbertomyrna
New Member
‎09-11-2024 10:04 PM

Right-click on the chart area and choose Select Data. Click Add and enter Duration as the series name. Select cells E5:E11 as the series values and click OK. The Edit Series window will reappear. Click OK. Click OK on the Select Data Source window. The duration will be added to the chart.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk on November 6 at 11AM PT, and empower your SOC to reach new heights! Duration: ...

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...