All Apps and Add-ons

Timeline - Custom Visualization: How do create a timeline based on this log's time format?

Toshbar
Explorer

I have a log that contains two distinct entries per JOBID. For example:

DATETIME:    2017-07-20 03:00:07.51 -0700       
JOBID:   123
MSGTXT:  123 - STARTED - TIME=03.00.07  

and

DATETIME:    2017-07-20 03:00:15.12 -0700   
JOBID:   123
MSGTXT:  123 - ENDED - TIME=03.00.15    

My search to find these two logs is:

index = x  JOBID = "123" MSGTXT = "\*started - time\*" OR "\*ended - time\*"
| stats values(DATETIME) by JOBID

I'm trying to create a custom timeline visualization to show the range of start time to end time by JOBID but I'm getting the following error: "Error rendering Timeline visualization: Invalid time format specified: CIBI8961. Supported time formats are RFC2822, ISO 8601, and epoch time"

I want the x axis to show a time range of 0-24 hours so I'm not sure if converting to epoch time would display in the way I'd like it to. Any help/idea/tips? Thank you.

0 Karma
1 Solution

woodcock
Esteemed Legend

Like this:

index = x  JOBID = "123" MSGTXT = "\*started - time\*" OR "\*ended - time\*"
| stats range(_time) AS duration BY JOBID

Or, if _time is bad (you REALLY should fix that), like this:

index = x  JOBID = "123" MSGTXT = "\*started - time\*" OR "\*ended - time\*"
| rex "DATETIME:\s+(?<time>[^\r\n]+)"
| eval time=strptime(time, "%Y-%m-%d %H:%M:%S %Z)"
| stats range(time) AS duration BY JOBID

View solution in original post

woodcock
Esteemed Legend

Like this:

index = x  JOBID = "123" MSGTXT = "\*started - time\*" OR "\*ended - time\*"
| stats range(_time) AS duration BY JOBID

Or, if _time is bad (you REALLY should fix that), like this:

index = x  JOBID = "123" MSGTXT = "\*started - time\*" OR "\*ended - time\*"
| rex "DATETIME:\s+(?<time>[^\r\n]+)"
| eval time=strptime(time, "%Y-%m-%d %H:%M:%S %Z)"
| stats range(time) AS duration BY JOBID
Get Updates on the Splunk Community!

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureThursday, March 27, 2025  |  11AM PST / 2PM EST | Register NowStep boldly ...

Splunk AppDynamics with Cisco Secure Application

Web applications unfortunately present a target rich environment for security vulnerabilities and attacks. ...