Solved: Timeline visualization using attributes of an sing...

Hung_Nguyen · ‎11-11-2021

In order to visual a data table with 4 columns: time, resource1, resource2, duration. I know who to do this with data coming from different events. However in my case, all the data is stored in a single performance metric splunk event. The event would look like the blob below where measureStart node contains the start time of these tasks, and the measure node contains the durations of these tasks

Splunk Event:

{
measureStart: {
"super_Task1: mini task1": 2021-11-12T02:50:05.430Z,
"super_Task1: mini task2": 2021-11-12T02:50:06.430Z,
"super_Task2: mini task1": 2021-11-12T02:50:07.430Z,
},
measures: {
"super_Task1: mini task1": 50,
"super_Task1: mini task2": 100,
"super_Task2: mini task1": 80,
}
}

I would like to produce a table that looks like this
time supertasks tasks duration
2021-11-12T02:50:05.430Z super_Task1 point1 50
2021-11-12T02:50:06.430Z super_Task1 point2 100
2021-11-12T02:50:07.430Z super_Task2 point1 80

thank you very much!

ITWhisperer · ‎11-12-2021

| makeresults
| eval _raw="{ 
    \"measureStart\": {
        \"super_Task1: mini task1\": \"2021-11-12T02:50:05.430Z\",
        \"super_Task1: mini task2\": \"2021-11-12T02:50:06.430Z\",
        \"super_Task2: mini task1\": \"2021-11-12T02:50:07.430Z\"
    },
    \"measures\": {
        \"super_Task1: mini task1\": 50,
        \"super_Task1: mini task2\": 100,
        \"super_Task2: mini task1\": 80
    }
}"



| spath measureStart
| spath measures
| spath input=measureStart
| spath input=measures
| fields - _raw measureStart measures
| untable _time task values
| rex field=values max_match=0 "(?<values>\S+)"
| eval supertask=mvindex(split(task,":"),0)
| eval task=trim(mvindex(split(task,":"),1))
| eval _time=strptime(mvindex(values,0),"%Y-%m-%dT%H:%M:%S.%QZ")
| eval duration=mvindex(values,1)
| fields - values

View solution in original post

ITWhisperer · ‎11-12-2021

| makeresults
| eval _raw="{ 
    \"measureStart\": {
        \"super_Task1: mini task1\": \"2021-11-12T02:50:05.430Z\",
        \"super_Task1: mini task2\": \"2021-11-12T02:50:06.430Z\",
        \"super_Task2: mini task1\": \"2021-11-12T02:50:07.430Z\"
    },
    \"measures\": {
        \"super_Task1: mini task1\": 50,
        \"super_Task1: mini task2\": 100,
        \"super_Task2: mini task1\": 80
    }
}"



| spath measureStart
| spath measures
| spath input=measureStart
| spath input=measures
| fields - _raw measureStart measures
| untable _time task values
| rex field=values max_match=0 "(?<values>\S+)"
| eval supertask=mvindex(split(task,":"),0)
| eval task=trim(mvindex(split(task,":"),1))
| eval _time=strptime(mvindex(values,0),"%Y-%m-%dT%H:%M:%S.%QZ")
| eval duration=mvindex(values,1)
| fields - values

Timeline visualization using attributes of an single event

metadata

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...