Splunk Search

How to setup a timechart showing three different statuses?

ThomasLehenberg
New Member

I want to set up a timechart, showing three different status. Now I found this SPL online, which was modified by myself. The problem still is that it only shows the time range of the last STATUS. How can I adapt the other ones to the chart?

| makeresults
     | eval _raw = "DATETIME:     2017-07-11 08:04:06.99 -0700    STATUS:     STATUS1    MSGTXT:     ENDED - TIME=08.04.06"
     | eval _time = strptime("2017-07-11 08:04:06.99 -0700","%Y-%m-%d %H:%M:%S") 
     | eval _raw = "DATETIME:     2017-07-11 08:04:06.99 -0700    STATUS:     STATUS2    MSGTXT:     ENDED - TIME=08.04.06"
     | eval _time = strptime("2017-07-11 08:00:06.99 -0700","%Y-%m-%d %H:%M:%S")
     | eval _raw = "DATETIME:     2017-07-11 08:04:06.99 -0700    STATUS:     STAU  MSGTXT:     ENDED - TIME=08.04.06"
     | eval _time = strptime("2017-07-11 08:04:06.99 -0700","%Y-%m-%d %H:%M:%S")
     | append [| makeresults 
               | eval _raw = "DATETIME:     2017-07-11 06:53:40.50 -0700   STATUS:     STATUS1    MSGTXT:     STARTED - TIME=06.53.40 "
               | eval _time = strptime("2017-07-11 06:53:40.50 -0700","%Y-%m-%d %H:%M:%S")]
  | append [| makeresults 
               | eval _raw = "DATETIME:     2017-07-11 06:53:40.50 -0700   STATUS:     STATUS2    MSGTXT:     STARTED - TIME=06.53.40 "
               | eval _time = strptime("2017-07-11 06:53:40.50 -0700","%Y-%m-%d %H:%M:%S")
                 | append [| makeresults 
               | eval _raw = "DATETIME:     2017-07-11 06:53:40.50 -0700   STATUS:     STAU    MSGTXT:     STARTED - TIME=06.53.40 "
               | eval _time = strptime("2017-07-11 06:53:40.50 -0700","%Y-%m-%d %H:%M:%S")
     | rex field=_raw "STATUS:\s+(?<STATUS>\w+)\s+"
     | stats min(_time) as _time max(_time) as ENDTIME by STATUS
     | eval duration=ENDTIME-_time
     | table _time STATUS duration
0 Karma

Azeemering
Builder

Simple example:

Lets's say you have 3 events:

2017-07-11 08:04:07.99 STATUS=STARTED
2017-07-11 08:04:08.99 STATUS=ENDED
2017-07-11 08:04:09.99 STATUS=RUNNING

See: https://imgur.com/a/7gRrw

You can run your spl query:

source="timechart.txt" sourcetype="sourcetypestatus" | timechart count by STATUS.
You will get a table where _time is the first column (X-Axis) and the subsequent columns (STARTED ENDED and RUNNING) provide the Y-Axis values).

See: https://imgur.com/a/03yol

This is the simplest form of timecharting results

0 Karma

ThomasLehenberg
New Member

Hi,

thanks for the quick response.
i'm going to add a screenshot
As you can see, it only shows the last status, and a timeline showing the duration of the "process". I'd like to see the duration of the other two processes as well. This is my problem.

0 Karma

kmaron
Motivator

There are some issues with the SPL you pasted. But I also don't see a timechart. What value are you trying to timechart?

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...