Splunk Search

outcome of stats into timechart

Path Finder
host=myserver JobWrapper | transaction keepevicted=true jobid 
| where job="provisioningJob" | stats max(duration) AS readytime by jobcallerref 

our logfiles has different provisioningJobs for each user (identified by the jobcallerref), the 'readytime', the time before the user is fully provisioned is determined by the longest running job.

with the above query i get a list of the longest durations for each user.

now i would like to chart it over time ... i am no longer interested in tje jobcallerref, so i want to graph those 'readytime's over the time they occured.

can't figure out how to feed these results back into a timechart ...

Tags (3)
1 Solution

SplunkTrust
SplunkTrust

Sounds like you're getting there. Timechart doesnt know what kind of rows you're giving it. Just as long as you give it a _time field it'll happily chart the rows as though they were events.

So this might get you a step closer.

host=myserver JobWrapper | transaction keepevicted=true jobid 
| where job="provisioningJob" | stats max(_time) as _time max(duration) AS readytime by jobcallerref 
| timechart max(readytime) by jobcallerref 

although i suspect you may be hoping for something closer to a Gantt chart, which cant really be done.

View solution in original post

SplunkTrust
SplunkTrust

Sounds like you're getting there. Timechart doesnt know what kind of rows you're giving it. Just as long as you give it a _time field it'll happily chart the rows as though they were events.

So this might get you a step closer.

host=myserver JobWrapper | transaction keepevicted=true jobid 
| where job="provisioningJob" | stats max(_time) as _time max(duration) AS readytime by jobcallerref 
| timechart max(readytime) by jobcallerref 

although i suspect you may be hoping for something closer to a Gantt chart, which cant really be done.

View solution in original post

Path Finder
| stats max(duration) AS readytime, max(_time) as _time by jobcallerref |fields + _time, readytime

Finally found something in the direction of what i want ... the trick was to do also a max() or min() or something on the _time field

Contributor

I hope that one works (you'd change span value to something smaller/bigger)

host=myserver JobWrapper | transaction keepevicted=true jobid | where job="provisioningJob" | timechart span=10m max(duration) by jobcallerref 

Contributor

alright, and sorry for not helping at all - I rate your question up, so maybe some smart guys can take care, or request a feature 🙂

Path Finder

i think its just not possible ...

this post is pretty related : http://answers.splunk.com/questions/4142/weirdness-using-max-and-min-in-eval-operating-on-numeric-mu...

the fact that the max() can only be used with stats, timechart and chart is the basic problem ... i would like to use it as a filter, only continue with the max values from multi-value fields.

0 Karma

Contributor

hmm, not sure and running out of options 😉 . . .

search | timechart span=10m max(duration) by duration
search | timechart span=10m max(duration)

Path Finder

thats not what i ment ... i am no longer interested in the jobcallerrefs in the chart ... just those max values.

0 Karma