- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to edit my current search to convert table...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to edit my current search to convert table data into a timechart or chart?
Hello -
I am currently looking to create a timechart or chart (line or bar graph) to display table data I have created within Splunk. This table currently displays daily runtimes of numerous jobs. I'm looking to graph these time values (DayendDuration) into a bar or line chart over a weeks time. Any suggestions would be greatly appreciated.
Start End DayendDuration
1 12/15/2015 22:16:10 12/16/2015 02:48:25 **04:32:15**
2 12/14/2015 22:16:08 12/15/2015 02:23:00 **04:06:52**
3 12/13/2015 22:16:07 12/14/2015 01:43:26 **03:27:19**
4 12/12/2015 22:16:06 12/13/2015 01:49:42 **03:33:36**
5 12/11/2015 22:16:07 12/12/2015 02:56:29 **04:40:22**
6 12/10/2015 22:16:09 12/11/2015 02:39:53 **04:23:44**
7 12/09/2015 22:16:08 12/10/2015 02:09:22 **03:53:14**
Current search:
sourcetype=DSTATS (UPROC="ZSTRTMAIL" OR UPROC="ZENDMAIL") | eval StartTime=if(UPROC="ZSTRTMAIL",StartTime,null) | eval EndTime=if(UPROC="ZENDMAIL",EndTime,null) | eval Start=StartDate." ".strftime(StartTime/1000,"%H:%M:%S") | eval End=EndDate." ".strftime(EndTime/1000,"%H:%M:%S") | transaction startswith="UPROC=ZSTRTMAIL" endswith="UPROC=ZENDMAIL" | eval Duration = (EndTime - StartTime)/1000 | eval DayendDuration = tostring('Duration', "duration") | table Start End DayendDuration
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Off the top of my head (meaning I haven't been able to test this), try this.
sourcetype=DSTATS (UPROC="ZSTRTMAIL" OR UPROC="ZENDMAIL") | eval StartTime=if(UPROC="ZSTRTMAIL",StartTime,null) | eval EndTime=if(UPROC="ZENDMAIL",EndTime,null) | eval Start=StartDate." ".strftime(StartTime/1000,"%H:%M:%S") | eval End=EndDate." ".strftime(EndTime/1000,"%H:%M:%S") | transaction startswith="UPROC=ZSTRTMAIL" endswith="UPROC=ZENDMAIL" | eval Duration = (EndTime - StartTime)/1000 | timechart values(Duration)
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for the response. I'm afraid it does not keep the values I need by 'eval DayendDuration = tostring('Duration', "duration")'.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I did add the following, but do not see any data populating in the graph. No errors though, which is better than before. 🙂
sourcetype=DSTATS (UPROC="ZSTRTMAIL" OR UPROC="ZENDMAIL") | eval StartTime=if(UPROC="ZSTRTMAIL",StartTime,null) | eval EndTime=if(UPROC="ZENDMAIL",EndTime,null) | eval Start=StartDate." ".strftime(StartTime/1000,"%H:%M:%S") | eval End=EndDate." ".strftime(EndTime/1000,"%H:%M:%S") | transaction startswith="UPROC=ZSTRTMAIL" endswith="UPROC=ZENDMAIL" | eval Duration = (EndTime - StartTime)/1000 | timechart values(DayendDuration)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The problem is the timechart command is designed to plot numbers rather than strings. That is why I used Duration instead of DayendDuration. Try this alternative. It displays Duration in human-readable form while keeping it as a integer for charting.
sourcetype=DSTATS (UPROC="ZSTRTMAIL" OR UPROC="ZENDMAIL") | eval StartTime=if(UPROC="ZSTRTMAIL",StartTime,null) | eval EndTime=if(UPROC="ZENDMAIL",EndTime,null) | eval Start=StartDate." ".strftime(StartTime/1000,"%H:%M:%S") | eval End=EndDate." ".strftime(EndTime/1000,"%H:%M:%S") | transaction startswith="UPROC=ZSTRTMAIL" endswith="UPROC=ZENDMAIL" | eval Duration = (EndTime - StartTime)/1000 | fieldformat Duration=tostring(Duration,"duration") | timechart values(Duration)
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Agreed on timechart not intended for string values, just thought I would give it a try. Will just present the data in the original table since nothing really seems to work while charting. Thank you very much for the help though, much appreciated.
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
