Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

timechart a mapped search?

jxstanford
Explorer
‎06-27-2013 11:37 AM

Here's a summary of what I'm trying to do:

  1. Find a job by ID
  2. Use the start/end time of that job to bound a search for system performance metrics
  3. chart the results

This is a search that finds the job and brings back the performance results in the jobs time window:

sourcetype=joblog jobID=693 starttime="06/14/2013:00:00:00" endtime="06/17/2013:00:00:00" | map search="search eventtype=windows_performance Host=ZSN* object=Processor counter=%\ Processor\ Time instance=_Total timeformat=\"%m/%d/%Y %H:%M:%S %p\" starttime=$startTime$ endtime=$endTime$"

example result:

06/15/2013 13:46:12.646
collection=CPUTime
object=Processor
counter="% Processor Time"
instance=_Total
Value=3.2852405007373298

But when I try to timechart it like:

| timechart span=15s max(Value)

The timechart has the outer start/end time and does not contain any results. Any suggestions on how to create this type of chart?

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎07-01-2013 03:34 PM

You should use a subsearch instead of map:

[ search sourcetype=joblog jobID=693 earliest=-2w latest=-2w+1d
  | eval earliest=strptime(startTime,"%m/%d/%Y %H:%M:%S") 
  | eval latest=strptime(endTime,"%m/%d/%Y %H:%M:%S")
  | return earliest latest ]
eventtype=windows_performance Host=ZSN* object=Processor instance=_Total
| timechart max(Value)

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎07-01-2013 03:34 PM

You should use a subsearch instead of map:

[ search sourcetype=joblog jobID=693 earliest=-2w latest=-2w+1d
  | eval earliest=strptime(startTime,"%m/%d/%Y %H:%M:%S") 
  | eval latest=strptime(endTime,"%m/%d/%Y %H:%M:%S")
  | return earliest latest ]
eventtype=windows_performance Host=ZSN* object=Processor instance=_Total
| timechart max(Value)
0 Karma
Reply
Solved! Jump to solution

jxstanford
Explorer
‎07-08-2013 05:29 PM

ah, just missing search as the first term inside [ ].

0 Karma
Reply
Solved! Jump to solution

jxstanford
Explorer
‎07-02-2013 08:55 AM

I figured there was a better way. When I use this, it returns "Unknown search command 'sourcetype'." I'm pretty much a noob. Am I missing part of the command?

0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...