Splunk Search

Time Chart to display active events by comparing start and stop time.

Communicator

I have a log file that has the start_time and stop_time of different actions. We can call the action to be in the "active" state if current time is between start_time and stop_time.

Log file looks like this
Action="action1" start_time="xxxxxx" stop_time="yyyyyy"
Action="action2" start_time="aaaaa" stop_time="bbbbb"

I need to plot a timechart that shows the status of an Action over a period of time.
Y axis will be the status(Active or Inactive)
X axis will be a range of Timeperiod.

What should be the query ? Is there a way to compare the start_time and end_time time with a specific point of time in the time chart?

Thanks in advance.

Tags (3)
0 Karma

SplunkTrust
SplunkTrust

Okay, try this:

base search giving you that event |eval times = end_time ." ". start_time | makemv times | mvexpand times | rename times as _time | streamstats count current=f | timechart values(count) as status | filldown status | fillnull status

Note, this will only work if the two times end up in different buckets. Also, you can't have categorical values on the Y axis, so I used 1 and 0 instead of active and inactive.

SplunkTrust
SplunkTrust

So far you had only mentioned that you wanted to chart one event, so that's what the search does. @somesoni2's search should work for more than one event, but still carries the caveat that each bucket can only have one part of a single event.

If you have a great number of events you should instead use concurrency:

base search | eval duration = end_time - start_time | concurrency duration=duration | timechart max(concurrency)

SplunkTrust
SplunkTrust

You have one even with two fields, start_time and end_time. That gets expanded into two events where one event has _time = start_time and the other has _time = end_time. The streamstats gives a zero to the end event and a one to the start event. That gets charted.

0 Karma

Communicator

Thanks for you answer martin

I was trying the search string and it looks like streamstats count current=f is adding number in sequential order.
ie start_time1: 0
end_time1: 1
start_time2: 2
end_time2: 3
start_time3: 4
end_time3: 5

and not 0's and 1's alternatively.

0 Karma

Revered Legend

Try this (@Martin's search modified)

base search giving you that event |eval times = end_time ."#0 ". start_time."#1" | makemv times | mvexpand times | rex field=times "(?<times>.*)#(?<count>.*)" | rename times as _time | timechart values(count) as status | filldown status | fillnull status

Communicator

Can you please explain what you are trying to do here.

0 Karma

SplunkTrust
SplunkTrust

Could you give an example with actual start and stop times along with the desired output?

0 Karma

Communicator

start_time will be unix time stamp like '1417469157' (12/01/2014 @ 3:25pm (UTC)) and stop_time will be '1417447860'(12/01/2014 @ 3:31pm (UTC)) . So the action is active only between this time interval.

Output as a Time chart.
Y task status (two values: active or inactive)
X time period.

Timechart will say if the action was active in a particular interval of time. So when the interval is between the above mentioned start and stop time, the chart should show that action is active. For all other time periods it should show inactive. Each action will be represented by a line.

0 Karma

Revered Legend

Will the time range selected to plot the chart (x-axis) and the interval/span will be static (means always today or last 24 hrs etc but fixed interval) or will it be dynamic?

0 Karma

Communicator

It will be dynamic.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!