Splunk Search

Time Chart to display active events by comparing start and stop time.

nibinabr
Communicator

I have a log file that has the start_time and stop_time of different actions. We can call the action to be in the "active" state if current time is between start_time and stop_time.

Log file looks like this
Action="action1" start_time="xxxxxx" stop_time="yyyyyy"
Action="action2" start_time="aaaaa" stop_time="bbbbb"

I need to plot a timechart that shows the status of an Action over a period of time.
Y axis will be the status(Active or Inactive)
X axis will be a range of Timeperiod.

What should be the query ? Is there a way to compare the start_time and end_time time with a specific point of time in the time chart?

Thanks in advance.

Tags (3)
0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Okay, try this:

base search giving you that event |eval times = end_time ." ". start_time | makemv times | mvexpand times | rename times as _time | streamstats count current=f | timechart values(count) as status | filldown status | fillnull status

Note, this will only work if the two times end up in different buckets. Also, you can't have categorical values on the Y axis, so I used 1 and 0 instead of active and inactive.

martin_mueller
SplunkTrust
SplunkTrust

So far you had only mentioned that you wanted to chart one event, so that's what the search does. @somesoni2's search should work for more than one event, but still carries the caveat that each bucket can only have one part of a single event.

If you have a great number of events you should instead use concurrency:

base search | eval duration = end_time - start_time | concurrency duration=duration | timechart max(concurrency)

martin_mueller
SplunkTrust
SplunkTrust

You have one even with two fields, start_time and end_time. That gets expanded into two events where one event has _time = start_time and the other has _time = end_time. The streamstats gives a zero to the end event and a one to the start event. That gets charted.

0 Karma

nibinabr
Communicator

Thanks for you answer martin

I was trying the search string and it looks like streamstats count current=f is adding number in sequential order.
ie start_time1: 0
end_time1: 1
start_time2: 2
end_time2: 3
start_time3: 4
end_time3: 5

and not 0's and 1's alternatively.

0 Karma

somesoni2
Revered Legend

Try this (@Martin's search modified)

base search giving you that event |eval times = end_time ."#0 ". start_time."#1" | makemv times | mvexpand times | rex field=times "(?<times>.*)#(?<count>.*)" | rename times as _time | timechart values(count) as status | filldown status | fillnull status

nibinabr
Communicator

Can you please explain what you are trying to do here.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Could you give an example with actual start and stop times along with the desired output?

0 Karma

nibinabr
Communicator

start_time will be unix time stamp like '1417469157' (12/01/2014 @ 3:25pm (UTC)) and stop_time will be '1417447860'(12/01/2014 @ 3:31pm (UTC)) . So the action is active only between this time interval.

Output as a Time chart.
Y task status (two values: active or inactive)
X time period.

Timechart will say if the action was active in a particular interval of time. So when the interval is between the above mentioned start and stop time, the chart should show that action is active. For all other time periods it should show inactive. Each action will be represented by a line.

0 Karma

somesoni2
Revered Legend

Will the time range selected to plot the chart (x-axis) and the interval/span will be static (means always today or last 24 hrs etc but fixed interval) or will it be dynamic?

0 Karma

nibinabr
Communicator

It will be dynamic.

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...