Re: Area Chart to show duration between two dates

Noob_splunker · ‎06-28-2020

Hi Splunkers,

I'm a newbie in Splunk. I'm trying to create a chart to show the duration between two dates (Occurtime and ClearTime but I'm unable to get my desired result.

Here's my Data:

Data1

1593323763.234,AlarmName="Mains Input Out of Range",State="Unacknowledged & Cleared",EventType="Power System",Occurtime="2020-06-28 11:09:42",ClearTime="2020-06-28 17:55:05"

Data2

1593323716.209,,AlarmName="NodeB Unavailable",State="Unacknowledged & Cleared",EventType="Running System",Occurtime="2020-06-28 11:59:32",ClearTime="2020-06-28 17:55:13"

Here is my query:

|eval dur_sec=strptime(ClearTime,"%Y-%m-%d %H:%M:%S.%N")-strptime(Occurtime,"%Y-%m-%d %H:%M:%S.%N")
|eval dur_sec=round((strptime(ClearTime,"%Y-%m-%d %H:%M:%S.%N")-strptime(Occurtime,"%Y-%m-%d %H:%M:%S.%N")))
|eval duration=tostring(dur_sec,"duration")
|convert num(duration)
|eval duration=round(duration/60,2)
| eval filter=case(
searchmatch("AC Failure*"),"Power Outage",
searchmatch("Cell Blocked*"),"Cell Blocked",
searchmatch("NodeB Unavailable"),"3G Outage",
searchmatch("eNodeB S1 Control Plane Transmission Interruption"),"4G Outage",1=1,"No Filter match")
| chart max(duration) over Occurtime by filter

Can anyone help me?

niketn · ‎07-09-2020

@Noob_splunker Please explore Chart Event Annotation or Region Chart Viz Custom Visualization for your use case. Refer to one of my older answer with run anywhere example for both: https://community.splunk.com/t5/Dashboards-Visualizations/add-custom-name-in-chart-viz-for-empty-spa...

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

richgalloway · ‎06-28-2020

What is your desired result? An area chart requires more than two data points.

This search works with more data points.

| makeresults 
| eval data="1593323763.234,AlarmName=\"Mains Input Out of Range\",State=\"Unacknowledged & Cleared\",EventType=\"Power System\",Occurtime=\"2020-06-28 11:09:42\",ClearTime=\"2020-06-28 17:55:05\"#
1593323716.209,,AlarmName=\"NodeB Unavailable\",State=\"Unacknowledged & Cleared\",EventType=\"Running System\",Occurtime=\"2020-06-28 11:59:32\",ClearTime=\"2020-06-28 17:55:13\"#
1593323710.209,,AlarmName=\"NodeB Unavailable\",State=\"Unacknowledged & Cleared\",EventType=\"Running System\",Occurtime=\"2020-06-28 11:59:26\",ClearTime=\"2020-06-28 17:54:10\"#
1593323706.209,,AlarmName=\"NodeB Unavailable\",State=\"Unacknowledged & Cleared\",EventType=\"Running System\",Occurtime=\"2020-06-28 11:59:16\",ClearTime=\"2020-06-28 16:50:03\"" 
| eval data=split(data,"#") 
| mvexpand data 
| eval _raw=data 
| extract kvdelim=",", pairdelim="=" 
| rex "(?<time>\d+)" 
| eval _time=time 
`comment("Everything above just creates test data")`
| eval duration=round((strptime(ClearTime,"%Y-%m-%d %H:%M:%S.%N")-strptime(Occurtime,"%Y-%m-%d %H:%M:%S.%N"))) 
| eval filter=case(
    searchmatch("AC Failure*"),"Power Outage",
    searchmatch("Cell Blocked*"),"Cell Blocked",
    searchmatch("NodeB Unavailable"),"3G Outage",
    searchmatch("eNodeB S1 Control Plane Transmission Interruption"),"4G Outage",1=1,"No Filter match") 
| chart max(duration) over Occurtime by filter

---
If this reply helps you, Karma would be appreciated.

Noob_splunker · ‎06-28-2020

Hi @richgalloway thanks for your reply.

My desired result is more of like this.

Y-axis is the duration.

richgalloway · ‎06-28-2020

You say the Y-axis is the duration, but isn't the X-axis also a duration in the mock-up graph? The distance between Occurtime and ClearTime is the duration. I'm not sure such a graph is possible.

---
If this reply helps you, Karma would be appreciated.

Area Chart to show duration between two dates

chart

timechart

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

Troubleshooting the OpenTelemetry Collector

Adoption of Infrastructure Monitoring at Splunk