Splunk Search
Highlighted

How to plot durations in a stacked area chart?

New Member

Hey,

I'm a first time user and I'd like to use splunk for observing performance issues in an application. We want to see how much time an application uses to fetch the data and render the data.

Basically the planning application fetches data from a DB backend and renders it onto the screen. Sometimes the user wants to view the data in a grid, sometimes in a graphical chart, sometimes even both (multiple windows can be open at the same time). In case both views are open, the system only retrieves data once.

The app produces the following log at the moment:

2015-08-31 10:29:02:666 1 start-total Next Day
2015-08-31 10:29:02:686 1 start-data refresh function
2015-08-31 10:29:04:284 1 end-data refresh function
2015-08-31 10:29:04:333 1 start-render planning grid
2015-08-31 10:29:08:114 1 end-render planning grid
2015-08-31 10:29:09:227 1 end-total Next Day
2015-08-31 10:30:12:444 2 start-total planningblock
2015-08-31 10:30:12:485 2 start-data refresh function
2015-08-31 10:30:14:333 2 end-data refresh function
2015-08-31 10:30:14:356 2 start-render planning chart
2015-08-31 10:30:18:986 2 end-render planning chart
2015-08-31 10:30:18:999 2 start-render planning grid
2015-08-31 10:30:24:324 2 end-render planning grid
2015-08-31 10:30:24:554 2 end-total planningblock
2015-08-31 10:32:01:464 3 start-total active planningblock
2015-08-31 10:32:01:470 3 start-data refresh function
2015-08-31 10:32:03:001 3 end-data refresh function
2015-08-31 10:32:03:011 3 start-render planning chart
2015-08-31 10:32:09:975 3 end-render planning chart
2015-08-31 10:32:10:015 3 end-total active planningblock

I started by extracting fields:

time: 2015-08-31 10:29:02:666
id: 1
timeindicator: start-total 
action: Next Day

I played around with the transaction command, but I can't get it quite right. Ideally the output is a stacked chart with the cumulative duration per id over the time entries. In the example data for id=2, there are two render actions, i.e. the application is rendering a "planning grid" view and a "planning chart" view (using the same data, hence only one data refresh)

I would like to produce a result similar to this chart: https://www.dropbox.com/s/i9vztu04fqilkmi/Screen%20Shot%202015-08-10%20at%2023.46.35.png?dl=0
(note that the chart I prepared in Excel is using slightly different demo data)

thank you already in advance

Erik

0 Karma
Highlighted

Re: How to plot durations in a stacked area chart?

SplunkTrust
SplunkTrust

Try something like this

your base search giving fields _time id timeindicator action | transaction id action maxevents=2 startswith="timeindicator=start*" endswith="timeindicator=end*" | table _time action duration | timechart sum(duration) by action

Choose the visualization as Area chart (to match your sample visualization).