I have a log file that has the start_time and stop_time of different actions. We can call the action to be in the "active" state if current time is between start_time and stop_time.
Log file looks like this
Action="action1" start_time="xxxxxx" stop_time="yyyyyy"
Action="action2" start_time="aaaaa" stop_time="bbbbb"
I need to plot a timechart that shows the status of an Action over a period of time.
Y axis will be the status(Active or Inactive)
X axis will be a range of Timeperiod.
What should be the query ? Is there a way to compare the start_time and end_time time with a specific point of time in the time chart?
Thanks in advance.
Okay, try this:
base search giving you that event |eval times = end_time ." ". start_time | makemv times | mvexpand times | rename times as _time | streamstats count current=f | timechart values(count) as status | filldown status | fillnull status
Note, this will only work if the two times end up in different buckets. Also, you can't have categorical values on the Y axis, so I used 1 and 0 instead of active and inactive.
So far you had only mentioned that you wanted to chart one event, so that's what the search does. @somesoni2's search should work for more than one event, but still carries the caveat that each bucket can only have one part of a single event.
If you have a great number of events you should instead use
base search | eval duration = end_time - start_time | concurrency duration=duration | timechart max(concurrency)
You have one even with two fields,
end_time. That gets expanded into two events where one event has
_time = start_time and the other has
_time = end_time. The
streamstats gives a zero to the end event and a one to the start event. That gets charted.
Thanks for you answer martin
I was trying the search string and it looks like streamstats count current=f is adding number in sequential order.
ie start_time1: 0
and not 0's and 1's alternatively.
Try this (@Martin's search modified)
base search giving you that event |eval times = end_time ."#0 ". start_time."#1" | makemv times | mvexpand times | rex field=times "(?<times>.*)#(?<count>.*)" | rename times as _time | timechart values(count) as status | filldown status | fillnull status
start_time will be unix time stamp like '1417469157' (12/01/2014 @ 3:25pm (UTC)) and stop_time will be '1417447860'(12/01/2014 @ 3:31pm (UTC)) . So the action is active only between this time interval.
Output as a Time chart.
Y task status (two values: active or inactive)
X time period.
Timechart will say if the action was active in a particular interval of time. So when the interval is between the above mentioned start and stop time, the chart should show that action is active. For all other time periods it should show inactive. Each action will be represented by a line.