Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to timechart the time differences between ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to timechart the time differences between (ITNM) events / phases?
I have the following data that I'm trying to timechart the differences between:
2023-02-16T16:14:04: Data Processing Phase -1 completed
2023-02-16T14:01:00: Data Processing Phase -1 starting
2023-02-16T14:01:00: Data Collection Phase 3 (Final Collection Phase) completed
2023-02-16T11:34:10: Data Collection Phase 2 starting
2023-02-16T11:34:10: Data Collection Phase 1 completed
2023-02-16T11:34:10: Data Collection Phase 3 (Final Collection Phase) starting
2023-02-16T11:34:10: Data Collection Phase 2 completed
2023-02-16T09:01:36: Data Collection Phase 1 starting
I've sliced up the data using the following SPL, but that will only give me a look at the time differences over the selected timeline. I can't figure out how to slice this data up so that I'm able to timechart the differences over multiple runs of the Data Collection Phases.
| stats first(_time) as End, last(_time) as Start by Phase, PhaseIdentifier
| eval RunTime = round((End - Start) / 60, 0)
| eval Start=strftime(Start, "%c")
| eval End=strftime(End, "%c")
| rename RunTime AS "RunTime (Minutes)"
I'm used to working more with metrics and logs that spit out runtimes, so this has been vexing me for entirely too long...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You could use streamstats to define an identifier for each iteration. If, for example, the cycle is terminated by the Data Processing Phase -1 completed, then you can use streamstats to define the iteration count based on that occurring, e.g. this example
| makeresults
| eval data=split(replace("
2023-02-16T16:14:04: Data Processing Phase -1 completed
2023-02-16T14:01:00: Data Processing Phase -1 starting
2023-02-16T14:01:00: Data Collection Phase 3 (Final Collection Phase) completed
2023-02-16T11:34:10: Data Collection Phase 2 starting
2023-02-16T11:34:10: Data Collection Phase 1 completed
2023-02-16T11:34:10: Data Collection Phase 3 (Final Collection Phase) starting
2023-02-16T11:34:10: Data Collection Phase 2 completed
2023-02-16T09:01:36: Data Collection Phase 1 starting
2023-02-15T16:14:04: Data Processing Phase -1 completed
2023-02-15T14:01:00: Data Processing Phase -1 starting
2023-02-15T14:01:00: Data Collection Phase 3 (Final Collection Phase) completed
2023-02-15T11:34:10: Data Collection Phase 2 starting
2023-02-15T11:34:10: Data Collection Phase 1 completed
2023-02-15T11:34:10: Data Collection Phase 3 (Final Collection Phase) starting
2023-02-15T11:34:10: Data Collection Phase 2 completed
2023-02-15T09:01:36: Data Collection Phase 1 starting", "\n", "##"), "##")
| mvexpand data
| eval _time=strptime(data, "%FT%T")
| rex field=data ": (?<Phase>Data (Processing|Collection) Phase) (?<PhaseIdentifier>-?\d+) (?<state>.*)"
| streamstats count(eval(if(PhaseIdentifier=-1 AND state="completed", 1, null()))) as iteration
| stats first(_time) as End, last(_time) as Start by iteration Phase PhaseIdentifier
| eval RunTime = round((End - Start) / 60, 0)
| eval Start=strftime(Start, "%c")
| eval End=strftime(End, "%c")
| rename RunTime AS "RunTime (Minutes)"
Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain
Splunk Lantern’s Guide to The Most Popular .conf25 Sessions
Unlock What’s Next: The Splunk Cloud Platform at .conf25
