How to edit my current search to convert table dat...

fisuser1 · ‎12-16-2015

Hello -

I am currently looking to create a timechart or chart (line or bar graph) to display table data I have created within Splunk. This table currently displays daily runtimes of numerous jobs. I'm looking to graph these time values (DayendDuration) into a bar or line chart over a weeks time. Any suggestions would be greatly appreciated.

            Start                  End          DayendDuration
1   12/15/2015 22:16:10 12/16/2015 02:48:25 **04:32:15**
2   12/14/2015 22:16:08 12/15/2015 02:23:00 **04:06:52**
3   12/13/2015 22:16:07 12/14/2015 01:43:26 **03:27:19**
4   12/12/2015 22:16:06 12/13/2015 01:49:42 **03:33:36**
5   12/11/2015 22:16:07 12/12/2015 02:56:29 **04:40:22**
6   12/10/2015 22:16:09 12/11/2015 02:39:53 **04:23:44**
7   12/09/2015 22:16:08 12/10/2015 02:09:22 **03:53:14**

Current search:

sourcetype=DSTATS (UPROC="ZSTRTMAIL" OR UPROC="ZENDMAIL") | eval StartTime=if(UPROC="ZSTRTMAIL",StartTime,null) | eval EndTime=if(UPROC="ZENDMAIL",EndTime,null) | eval Start=StartDate." ".strftime(StartTime/1000,"%H:%M:%S") | eval End=EndDate." ".strftime(EndTime/1000,"%H:%M:%S") | transaction startswith="UPROC=ZSTRTMAIL" endswith="UPROC=ZENDMAIL" | eval Duration = (EndTime - StartTime)/1000 | eval DayendDuration = tostring('Duration', "duration") | table  Start End DayendDuration

richgalloway · ‎12-16-2015

Off the top of my head (meaning I haven't been able to test this), try this.

sourcetype=DSTATS (UPROC="ZSTRTMAIL" OR UPROC="ZENDMAIL") | eval StartTime=if(UPROC="ZSTRTMAIL",StartTime,null) | eval EndTime=if(UPROC="ZENDMAIL",EndTime,null) | eval Start=StartDate." ".strftime(StartTime/1000,"%H:%M:%S") | eval End=EndDate." ".strftime(EndTime/1000,"%H:%M:%S") | transaction startswith="UPROC=ZSTRTMAIL" endswith="UPROC=ZENDMAIL" | eval Duration = (EndTime - StartTime)/1000 | timechart values(Duration)

---
If this reply helps you, Karma would be appreciated.

fisuser1 · ‎12-16-2015

Thank you for the response. I'm afraid it does not keep the values I need by 'eval DayendDuration = tostring('Duration', "duration")'.

fisuser1 · ‎12-16-2015

I did add the following, but do not see any data populating in the graph. No errors though, which is better than before. 🙂

sourcetype=DSTATS (UPROC="ZSTRTMAIL" OR UPROC="ZENDMAIL") | eval StartTime=if(UPROC="ZSTRTMAIL",StartTime,null) | eval EndTime=if(UPROC="ZENDMAIL",EndTime,null) | eval Start=StartDate." ".strftime(StartTime/1000,"%H:%M:%S") | eval End=EndDate." ".strftime(EndTime/1000,"%H:%M:%S") | transaction startswith="UPROC=ZSTRTMAIL" endswith="UPROC=ZENDMAIL" | eval Duration = (EndTime - StartTime)/1000 | timechart values(DayendDuration)

richgalloway · ‎12-17-2015

The problem is the timechart command is designed to plot numbers rather than strings. That is why I used Duration instead of DayendDuration. Try this alternative. It displays Duration in human-readable form while keeping it as a integer for charting.

sourcetype=DSTATS (UPROC="ZSTRTMAIL" OR UPROC="ZENDMAIL") | eval StartTime=if(UPROC="ZSTRTMAIL",StartTime,null) | eval EndTime=if(UPROC="ZENDMAIL",EndTime,null) | eval Start=StartDate." ".strftime(StartTime/1000,"%H:%M:%S") | eval End=EndDate." ".strftime(EndTime/1000,"%H:%M:%S") | transaction startswith="UPROC=ZSTRTMAIL" endswith="UPROC=ZENDMAIL" | eval Duration = (EndTime - StartTime)/1000 | fieldformat Duration=tostring(Duration,"duration") | timechart values(Duration)

---
If this reply helps you, Karma would be appreciated.

fisuser1 · ‎12-19-2015

Agreed on timechart not intended for string values, just thought I would give it a try. Will just present the data in the original table since nothing really seems to work while charting. Thank you very much for the help though, much appreciated.

How to edit my current search to convert table data into a timechart or chart?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?