I have a data set that contains start and end times of events. These events signify 'significant events' in our infrastructure. I want to be able to display this as a chart and fill in the gap between the start and end in the event.
for instance the data looks like this:
{"tags":[{"entry_time":"2015-11-18 15:46:35"},{"end_date": "2014-07-10 16:30:00", "start_date": "2014-07-10 16:00:00", "sys_updated_on": "2014-08-14 01:15:33"}]}
{"tags":[{"entry_time":"2015-11-18 15:46:35"},{"end_date": "2014-04-17 20:00:00", "start_date": "2014-04-17 16:00:00", "sys_updated_on": "2014-08-14 01:15:33"}]}
{"tags":[{"entry_time":"2015-11-18 15:46:35"},{"end_date": "2014-04-28 17:30:00", "start_date": "2014-04-28 17:00:00", "sys_updated_on": "2014-08-14 01:15:33"}]}
{"tags":[{"entry_time":"2015-11-18 15:46:35"},{"end_date": "2014-05-15 16:30:00", "start_date": "2014-05-15 16:00:00", "sys_updated_on": "2014-08-14 01:15:33"}]}
{"tags":[{"entry_time":"2015-11-18 15:46:35"},{"end_date": "2014-05-26 07:00:00", "start_date": "2014-04-17 07:00:00", "sys_updated_on": "2014-08-14 01:15:33"}]}
{"tags":[{"entry_time":"2015-11-18 15:46:35"},{"end_date": "2014-05-22 16:30:00", "start_date": "2014-05-22 16:00:00", "sys_updated_on": "2014-08-14 01:15:33"}]}
{"tags":[{"entry_time":"2015-11-18 15:46:35"},{"end_date": "2014-05-26 19:00:00", "start_date": "2014-04-18 06:55:00", "sys_updated_on": "2014-08-14 01:15:33"}]}
{"tags":[{"entry_time":"2015-11-18 15:46:35"},{"end_date": "2014-05-22 16:30:00", "start_date": "2014-05-22 16:00:00", "sys_updated_on": "2014-08-14 01:15:33"}]}
I want to be able to do a timechart that will graph the entire window between start and end, not just points of start and end.
If I understand you correctly, like this:
SearchStringForSignificantEventsHere | eval serial=_serial | eval epochStart=strptime(start_date, "%Y-%m-%d %H:%M:%S") | eval epochEnd=strptime(end_date, "%Y-%m-%d %H:%M:%S") | map search="search earliest=$epochStart$ latest=$epochEnd$ SearchStringForOtherStuffHere | timechart span=1m count by $serial$"
This takes each event from the list in your original post and passes serial
(row number of each event in the outer search), epochStart
and epochEnd
and runs another search to timechart events bounded by and aggregated against these 3 parameters.
Thanks, I will see if this can get me what I am looking for. The _serial field can come in handy!
So did this work for you?
This isn't quite what I was looking for. I want to chart all of the events however when looking at a timeline I need each one to 'fill' between the start and end time.
It looks like this solution is good for setting the search windows, but I need all of the events graphed, I am looking for a solution that fills any bucket that falls between the start and end with a true evaluation.
That way I can build a timechart that has proper total of any positive events during the timeframes.
You have said the same think a couple of times. Will you show what this search is producing and how it is inadequate, perhaps with a mockup based on the first output? I do not at all understand what you are saying.
@woodcock,
I did not know about that _serial field, that's a handy thing to know.
I felt the same way when I discovered it here!
In the timechart
command, there is a cont
option, have you looked at that?
http://docs.splunk.com/Documentation/Splunk/6.3.1/SearchReference/Timechart
I don't want to fill in time gaps, I want to be able to mark as true any time that lands within the start and end points in the events.
Thanks for the hint though. It will come in useful in a separate place