All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Timeline visualization "Failed to load source for Timeline visualization, Supported time formats are RFC2822, ISO 8601, and epoch time"

cdhippen
Path Finder
‎11-21-2019 10:52 AM

I've got a search where the last line is | table time tx duration . This is an example of the resulting table:

     time          tx                                          duration
1   1574361873  467bc12de15e87be9470405eca6af475c2ba5072    2
2   1574361828  b7ed42c618358fa1ef2733b6d4538e17b705d0ab    1342
3   1574359470  6ce4d008d1a6d6873d1c8e5481ba1c4c77f2b929    1
4   1574358821  1effc91b9e809c4412f96e2582bb9fe93e22c95d    44511
5   1574358637  c387972f676d97c752f64643e38d6663ec696392    78467

The time is in epoch format, I've generated it with this line | convert mktime(job_started_at) as time timeformat="%Y-%m-%dT%H:%M:%SZ" but I get the error Error rendering Timeline visualization: Invalid time format specified: 1574357356,1574357377,1574357421,1574357842. Supported time formats are RFC2822, ISO 8601, and epoch time which doesn't make any sense because it's literally saying "Time is in epoch, requires epoch".

Interestingly enough, if I do

| makeresults 1
| eval abc="123", duration=100000, time=_time
| table time abc duration

Then the visualization works, but everything is in the same format. Why won't it work here? Also if I | eval time=null() then it works by placing the start of the timeline at the beginning of the search period.

0 Karma
Reply

to4kawa
Ultra Champion
‎11-26-2019 03:44 AM 
| makeresults 
 | eval _raw="t      time          tx                                          duration
 1    1574361873    467bc12de15e87be9470405eca6af475c2ba5072    2
 2    1574361828    b7ed42c618358fa1ef2733b6d4538e17b705d0ab    1342
 3    1574359470    6ce4d008d1a6d6873d1c8e5481ba1c4c77f2b929    1
 4    1574358821    1effc91b9e809c4412f96e2582bb9fe93e22c95d    44511
 5    1574358637    c387972f676d97c752f64643e38d6663ec696392    78467"
 | multikv
 | table time tx duration
 | rename time as _time

Hi, @cdhippen
I was able to do something normal.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...