- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to plot durations in a stacked area chart?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to plot durations in a stacked area chart?
Hey,
I'm a first time user and I'd like to use splunk for observing performance issues in an application. We want to see how much time an application uses to fetch the data and render the data.
Basically the planning application fetches data from a DB backend and renders it onto the screen. Sometimes the user wants to view the data in a grid, sometimes in a graphical chart, sometimes even both (multiple windows can be open at the same time). In case both views are open, the system only retrieves data once.
The app produces the following log at the moment:
2015-08-31 10:29:02:666 1 start-total Next Day
2015-08-31 10:29:02:686 1 start-data refresh function
2015-08-31 10:29:04:284 1 end-data refresh function
2015-08-31 10:29:04:333 1 start-render planning grid
2015-08-31 10:29:08:114 1 end-render planning grid
2015-08-31 10:29:09:227 1 end-total Next Day
2015-08-31 10:30:12:444 2 start-total planningblock
2015-08-31 10:30:12:485 2 start-data refresh function
2015-08-31 10:30:14:333 2 end-data refresh function
2015-08-31 10:30:14:356 2 start-render planning chart
2015-08-31 10:30:18:986 2 end-render planning chart
2015-08-31 10:30:18:999 2 start-render planning grid
2015-08-31 10:30:24:324 2 end-render planning grid
2015-08-31 10:30:24:554 2 end-total planningblock
2015-08-31 10:32:01:464 3 start-total active planningblock
2015-08-31 10:32:01:470 3 start-data refresh function
2015-08-31 10:32:03:001 3 end-data refresh function
2015-08-31 10:32:03:011 3 start-render planning chart
2015-08-31 10:32:09:975 3 end-render planning chart
2015-08-31 10:32:10:015 3 end-total active planningblock
I started by extracting fields:
time: 2015-08-31 10:29:02:666
id: 1
timeindicator: start-total
action: Next Day
I played around with the transaction command, but I can't get it quite right. Ideally the output is a stacked chart with the cumulative duration per id over the time entries. In the example data for id=2, there are two render actions, i.e. the application is rendering a "planning grid" view and a "planning chart" view (using the same data, hence only one data refresh)
I would like to produce a result similar to this chart: https://www.dropbox.com/s/i9vztu04fqilkmi/Screen%20Shot%202015-08-10%20at%2023.46.35.png?dl=0
(note that the chart I prepared in Excel is using slightly different demo data)
thank you already in advance
Erik
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try something like this
your base search giving fields _time id timeindicator action | transaction id action maxevents=2 startswith="timeindicator=start*" endswith="timeindicator=end*" | table _time action duration | timechart sum(duration) by action
Choose the visualization as Area chart (to match your sample visualization).
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
