All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Timeline - Custom Visualization: How do create a timeline based on this log's time format?

Toshbar
Explorer
‎07-20-2017 10:34 AM

I have a log that contains two distinct entries per JOBID. For example:

DATETIME:    2017-07-20 03:00:07.51 -0700       
JOBID:   123
MSGTXT:  123 - STARTED - TIME=03.00.07

and

DATETIME:    2017-07-20 03:00:15.12 -0700   
JOBID:   123
MSGTXT:  123 - ENDED - TIME=03.00.15

My search to find these two logs is:

index = x  JOBID = "123" MSGTXT = "\*started - time\*" OR "\*ended - time\*"
| stats values(DATETIME) by JOBID

I'm trying to create a custom timeline visualization to show the range of start time to end time by JOBID but I'm getting the following error: "Error rendering Timeline visualization: Invalid time format specified: CIBI8961. Supported time formats are RFC2822, ISO 8601, and epoch time"

I want the x axis to show a time range of 0-24 hours so I'm not sure if converting to epoch time would display in the way I'd like it to. Any help/idea/tips? Thank you.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎07-20-2017 01:37 PM

Like this:

index = x  JOBID = "123" MSGTXT = "\*started - time\*" OR "\*ended - time\*"
| stats range(_time) AS duration BY JOBID

Or, if _time is bad (you REALLY should fix that), like this:

index = x  JOBID = "123" MSGTXT = "\*started - time\*" OR "\*ended - time\*"
| rex "DATETIME:\s+(?<time>[^\r\n]+)"
| eval time=strptime(time, "%Y-%m-%d %H:%M:%S %Z)"
| stats range(time) AS duration BY JOBID

View solution in original post

Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎07-20-2017 01:37 PM

Like this:

index = x  JOBID = "123" MSGTXT = "\*started - time\*" OR "\*ended - time\*"
| stats range(_time) AS duration BY JOBID

Or, if _time is bad (you REALLY should fix that), like this:

index = x  JOBID = "123" MSGTXT = "\*started - time\*" OR "\*ended - time\*"
| rex "DATETIME:\s+(?<time>[^\r\n]+)"
| eval time=strptime(time, "%Y-%m-%d %H:%M:%S %Z)"
| stats range(time) AS duration BY JOBID
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...