Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to setup a timechart showing three differe...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to setup a timechart showing three different statuses?
I want to set up a timechart, showing three different status. Now I found this SPL online, which was modified by myself. The problem still is that it only shows the time range of the last STATUS. How can I adapt the other ones to the chart?
| makeresults
| eval _raw = "DATETIME: 2017-07-11 08:04:06.99 -0700 STATUS: STATUS1 MSGTXT: ENDED - TIME=08.04.06"
| eval _time = strptime("2017-07-11 08:04:06.99 -0700","%Y-%m-%d %H:%M:%S")
| eval _raw = "DATETIME: 2017-07-11 08:04:06.99 -0700 STATUS: STATUS2 MSGTXT: ENDED - TIME=08.04.06"
| eval _time = strptime("2017-07-11 08:00:06.99 -0700","%Y-%m-%d %H:%M:%S")
| eval _raw = "DATETIME: 2017-07-11 08:04:06.99 -0700 STATUS: STAU MSGTXT: ENDED - TIME=08.04.06"
| eval _time = strptime("2017-07-11 08:04:06.99 -0700","%Y-%m-%d %H:%M:%S")
| append [| makeresults
| eval _raw = "DATETIME: 2017-07-11 06:53:40.50 -0700 STATUS: STATUS1 MSGTXT: STARTED - TIME=06.53.40 "
| eval _time = strptime("2017-07-11 06:53:40.50 -0700","%Y-%m-%d %H:%M:%S")]
| append [| makeresults
| eval _raw = "DATETIME: 2017-07-11 06:53:40.50 -0700 STATUS: STATUS2 MSGTXT: STARTED - TIME=06.53.40 "
| eval _time = strptime("2017-07-11 06:53:40.50 -0700","%Y-%m-%d %H:%M:%S")
| append [| makeresults
| eval _raw = "DATETIME: 2017-07-11 06:53:40.50 -0700 STATUS: STAU MSGTXT: STARTED - TIME=06.53.40 "
| eval _time = strptime("2017-07-11 06:53:40.50 -0700","%Y-%m-%d %H:%M:%S")
| rex field=_raw "STATUS:\s+(?<STATUS>\w+)\s+"
| stats min(_time) as _time max(_time) as ENDTIME by STATUS
| eval duration=ENDTIME-_time
| table _time STATUS duration
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Simple example:
Lets's say you have 3 events:
2017-07-11 08:04:07.99 STATUS=STARTED
2017-07-11 08:04:08.99 STATUS=ENDED
2017-07-11 08:04:09.99 STATUS=RUNNING
See: https://imgur.com/a/7gRrw
You can run your spl query:
source="timechart.txt" sourcetype="sourcetypestatus" | timechart count by STATUS.
You will get a table where _time is the first column (X-Axis) and the subsequent columns (STARTED ENDED and RUNNING) provide the Y-Axis values).
See: https://imgur.com/a/03yol
This is the simplest form of timecharting results
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There are some issues with the SPL you pasted. But I also don't see a timechart. What value are you trying to timechart?
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
