Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

timechart a mapped search?

jxstanford
Explorer
‎06-27-2013 11:37 AM

Here's a summary of what I'm trying to do:

  1. Find a job by ID
  2. Use the start/end time of that job to bound a search for system performance metrics
  3. chart the results

This is a search that finds the job and brings back the performance results in the jobs time window:

sourcetype=joblog jobID=693 starttime="06/14/2013:00:00:00" endtime="06/17/2013:00:00:00" | map search="search eventtype=windows_performance Host=ZSN* object=Processor counter=%\ Processor\ Time instance=_Total timeformat=\"%m/%d/%Y %H:%M:%S %p\" starttime=$startTime$ endtime=$endTime$"

example result:

06/15/2013 13:46:12.646
collection=CPUTime
object=Processor
counter="% Processor Time"
instance=_Total
Value=3.2852405007373298

But when I try to timechart it like:

| timechart span=15s max(Value)

The timechart has the outer start/end time and does not contain any results. Any suggestions on how to create this type of chart?

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎07-01-2013 03:34 PM

You should use a subsearch instead of map:

[ search sourcetype=joblog jobID=693 earliest=-2w latest=-2w+1d
  | eval earliest=strptime(startTime,"%m/%d/%Y %H:%M:%S") 
  | eval latest=strptime(endTime,"%m/%d/%Y %H:%M:%S")
  | return earliest latest ]
eventtype=windows_performance Host=ZSN* object=Processor instance=_Total
| timechart max(Value)

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎07-01-2013 03:34 PM

You should use a subsearch instead of map:

[ search sourcetype=joblog jobID=693 earliest=-2w latest=-2w+1d
  | eval earliest=strptime(startTime,"%m/%d/%Y %H:%M:%S") 
  | eval latest=strptime(endTime,"%m/%d/%Y %H:%M:%S")
  | return earliest latest ]
eventtype=windows_performance Host=ZSN* object=Processor instance=_Total
| timechart max(Value)
0 Karma
Reply
Solved! Jump to solution

jxstanford
Explorer
‎07-08-2013 05:29 PM

ah, just missing search as the first term inside [ ].

0 Karma
Reply
Solved! Jump to solution

jxstanford
Explorer
‎07-02-2013 08:55 AM

I figured there was a better way. When I use this, it returns "Unknown search command 'sourcetype'." I'm pretty much a noob. Am I missing part of the command?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Deep Dive: Accelerate threat investigation with Splunk’s AI Assistant in Security

AI is one of the biggest topics in the market today, and for security teams, its value goes far beyond the ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Detection Engineering Office Hours: Real-World Troubleshooting & Q&A

[REGISTER HERE] This thread is for the Community Office Hours session on Detection Engineering Office Hours: ...