Splunk Search

Swimlanes in Splunk Enterprise

Path Finder


My business requirement is to have a view that shows the number of batch jobs on the Y-axis and the Time (in hour) on the X-axis. The rows events I have is looks something like below:

2016-06-20T12:01:46.000 JOB_ID=1 JOB_START_TIME=1466438400.000 JOB_END_TIME=1466442106.714 JOB_NAME=Hello_job 

For this event, _time is based on when the row is inserted to the database table which gets updated once the job finishes executing. From this event, what I need to do is:

1) Grab the start time and the end time
2) Divide the difference between start time and end time by hours
3) Tag the event with the hours
4) Increment a count for each of those hours for this job

There are multiple jobs running the system, so I might need to find the min or start times and max of end times to find out the entire range.

If I select for yesterday's time in the dashboard (_time), then it should show me all the jobs that had completed yesterday with a swim lane of number of jobs executing at a given hour.


_time                Job ID   Job_Start_time        Job_End_time
6/16/2016 1:30 AM    Job 1    6/15/2016 11:00 PM    6/16/2016 1:20 AM
6/16/2016 3:55 AM    Job 2    6/16/2016 1:00 AM     6/16/2016 3:50 AM
6/16/2016 3:56 AM    Job 3    6/16/2016 2:00 AM     6/16/2016 3:55 AM
6/16/2016 4:12 AM    Job 3    6/16/2016 3:20 AM     6/16/2016 4:10 AM

The chart should be like following:

Job1  |  1     1     0     0     0
Job2  |  0     1     1     1     1
Job3  |  0     0     1     2     1
hrs==    12    1     2     3     4   

Note that there were total of two Job3 executing between 3 AM to 4 AM timeframe which shows up in the chart.

I guess it's hard to explain, but let me know if you have any questions to solve this puzzle
Appreciate your help.

0 Karma
1 Solution

Path Finder
0 Karma

Path Finder
0 Karma


Which splunk version are you using? Have you looked at the timeline app? This might simplify your view. Just a thought.

0 Karma

Path Finder

That's exactly what I need :). Unfortunately we are still on 6.3, is there any way to create a search query of whatever is done behind the scene for that app?

0 Karma
Get Updates on the Splunk Community!

Sending Metrics to Splunk Enterprise With the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

What's New in Splunk Cloud Platform 9.0.2208?!

Howdy!  We are happy to share the newest updates in Splunk Cloud Platform 9.0.2208! Analysts can benefit ...

Want a chance to win $500 to the Splunk shop? Take our IT Incident Management Survey!

  Top Trends & Best Practices in Incident ManagementSplunk is partnering up with Constellation Research to ...