Splunk Search

How to make a barchart with start time, duration by resource

las
Contributor

Hi.

I would like to make a bar chart, where date/time is on the X-axis, and the resource is the Y-axis, the bar should start at _time, and have a length of duration.

Is this possible using only base Splunk 6.1, or is it necessary to download and install additional apps?

If it is possible what would the chart look like?

Thanks in advance.

Tags (3)
1 Solution

las
Contributor

The trick is to have a start and end event, with a unique number, and then do a line graf on that number. That will produce a nice horisontal line, spanning from start to end.

View solution in original post

las
Contributor

The search is as follows:
eventtype=TWS_logs eventtype=TWS_job_events NOT (userID = "TWSD01" OR userID = "TWSP01") submitName=* NOT submitName=TWSON* (eventText="TWS_Job_Abend" OR eventText="TWS_Job_Failed" OR eventText="TWS_Job_Launched" OR eventText="TWS_Job_Done") | dedup _raw | eval label=submitName."-".jobNumber | timechart limit=0 first(jobNumber) by label

And what I end up with, is a result set like this:
alt text

Where the four arrows indicate the unique number, and a name wich is concatenated as a label

The end result is as follows:
alt text

The graph is rather large, so I have just taken a small portion.

0 Karma

las
Contributor

The trick is to have a start and end event, with a unique number, and then do a line graf on that number. That will produce a nice horisontal line, spanning from start to end.

MuS
SplunkTrust
SplunkTrust

could you share the search and the resulting graph, please?

las
Contributor

Yes, that is something in the line I was looking for.
It took some time, but I got the gist, and found a solution, that works for me based on the example.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Are looking for gantt chart? May be this?

https://apps.splunk.com/app/1741/

Also checkout this.
http://answers.splunk.com/answers/1644/building-a-gantt-chart

MuS
SplunkTrust
SplunkTrust

Hi las,

take this run everywhere example:

  index=_internal | chart values(kb) over series by _time

this will generate a bar graph like this:

alt text

hope this helps ...

cheers, MuS

0 Karma

MuS
SplunkTrust
SplunkTrust

more like this

 index=_internal | chart values(kb) over _time by series

?

0 Karma

las
Contributor

Hi MuS.

Yes, but all the bars start at zero, what I would like was for the individual bar to start at the time indicated by _time in the event, and have the length indicated by duration, and then have the X-axis as _time.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...