I have a log file that has the start_time and stop_time of different actions. We can call the action to be in the "active" state if current time is between start_time and stop_time.
Log file looks like this
Action="action1" start_time="xxxxxx" stop_time="yyyyyy"
Action="action2" start_time="aaaaa" stop_time="bbbbb"
I need to plot a timechart that shows the status of an Action over a period of time.
Y axis will be the status(Active or Inactive)
X axis will be a range of Timeperiod.
What should be the query ? Is there a way to compare the start_time and end_time time with a specific point of time in the time chart?
Thanks in advance.
Okay, try this:
base search giving you that event |eval times = end_time ." ". start_time | makemv times | mvexpand times | rename times as _time | streamstats count current=f | timechart values(count) as status | filldown status | fillnull status
Note, this will only work if the two times end up in different buckets. Also, you can't have categorical values on the Y axis, so I used 1 and 0 instead of active and inactive.
So far you had only mentioned that you wanted to chart one event, so that's what the search does. @somesoni2's search should work for more than one event, but still carries the caveat that each bucket can only have one part of a single event.
If you have a great number of events you should instead use concurrency
:
base search | eval duration = end_time - start_time | concurrency duration=duration | timechart max(concurrency)
You have one even with two fields, start_time
and end_time
. That gets expanded into two events where one event has _time = start_time
and the other has _time = end_time
. The streamstats
gives a zero to the end event and a one to the start event. That gets charted.
Thanks for you answer martin
I was trying the search string and it looks like streamstats count current=f is adding number in sequential order.
ie start_time1: 0
end_time1: 1
start_time2: 2
end_time2: 3
start_time3: 4
end_time3: 5
and not 0's and 1's alternatively.
Try this (@Martin's search modified)
base search giving you that event |eval times = end_time ."#0 ". start_time."#1" | makemv times | mvexpand times | rex field=times "(?<times>.*)#(?<count>.*)" | rename times as _time | timechart values(count) as status | filldown status | fillnull status
Can you please explain what you are trying to do here.
Could you give an example with actual start and stop times along with the desired output?
start_time will be unix time stamp like '1417469157' (12/01/2014 @ 3:25pm (UTC)) and stop_time will be '1417447860'(12/01/2014 @ 3:31pm (UTC)) . So the action is active only between this time interval.
Output as a Time chart.
Y task status (two values: active or inactive)
X time period.
Timechart will say if the action was active in a particular interval of time. So when the interval is between the above mentioned start and stop time, the chart should show that action is active. For all other time periods it should show inactive. Each action will be represented by a line.
Will the time range selected to plot the chart (x-axis) and the interval/span will be static (means always today or last 24 hrs etc but fixed interval) or will it be dynamic?
It will be dynamic.