All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Timeline visualization "Failed to load source for Timeline visualization, Supported time formats are RFC2822, ISO 8601, and epoch time"

cdhippen
Path Finder
‎11-21-2019 10:52 AM

I've got a search where the last line is | table time tx duration . This is an example of the resulting table:

     time          tx                                          duration
1   1574361873  467bc12de15e87be9470405eca6af475c2ba5072    2
2   1574361828  b7ed42c618358fa1ef2733b6d4538e17b705d0ab    1342
3   1574359470  6ce4d008d1a6d6873d1c8e5481ba1c4c77f2b929    1
4   1574358821  1effc91b9e809c4412f96e2582bb9fe93e22c95d    44511
5   1574358637  c387972f676d97c752f64643e38d6663ec696392    78467

The time is in epoch format, I've generated it with this line | convert mktime(job_started_at) as time timeformat="%Y-%m-%dT%H:%M:%SZ" but I get the error Error rendering Timeline visualization: Invalid time format specified: 1574357356,1574357377,1574357421,1574357842. Supported time formats are RFC2822, ISO 8601, and epoch time which doesn't make any sense because it's literally saying "Time is in epoch, requires epoch".

Interestingly enough, if I do

| makeresults 1
| eval abc="123", duration=100000, time=_time
| table time abc duration

Then the visualization works, but everything is in the same format. Why won't it work here? Also if I | eval time=null() then it works by placing the start of the timeline at the beginning of the search period.

0 Karma
Reply

to4kawa
Ultra Champion
‎11-26-2019 03:44 AM 
| makeresults 
 | eval _raw="t      time          tx                                          duration
 1    1574361873    467bc12de15e87be9470405eca6af475c2ba5072    2
 2    1574361828    b7ed42c618358fa1ef2733b6d4538e17b705d0ab    1342
 3    1574359470    6ce4d008d1a6d6873d1c8e5481ba1c4c77f2b929    1
 4    1574358821    1effc91b9e809c4412f96e2582bb9fe93e22c95d    44511
 5    1574358637    c387972f676d97c752f64643e38d6663ec696392    78467"
 | multikv
 | table time tx duration
 | rename time as _time

Hi, @cdhippen
I was able to do something normal.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Unlocking Unified Insights: New Gigamon Federated Search App for Splunk

In today’s data-heavy environment, organizations are caught in a data distribution dilemma. As data volumes ...

GA: New Data Management App in Splunk Platform

Streamlining Data Management: Introducing a unified experience in Splunk Managing data at scale shouldn’t feel ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...