How can I display a bar chart with human readable ...

Ananya_23 · ‎02-16-2025

I'm able to calculate the time difference between the start and end time of my job. I want to display the string value in bar chart how to achieve this.
index=music Job=*
| eval Duration=(end-start_time)
| chart values(Duration) as Duration by "Start Time"

ITWhisperer · ‎02-17-2025

The simple answer is that you can't or at least not easily with standard charts. The x-axis on a bar chart or y-axis on a column chart is numeric and doesn't show strings (which is what you seem to be trying to show your duration as).

ITWhisperer · ‎02-17-2025

Please share some raw anonymised sample events in a code block using the </> button so we can see what you are dealing with.

Ananya_23 · ‎02-17-2025

Didnt get u but This is the query which i built up so far which is capturing time difference in HH:MM:SS in stats view but i want to display the same duration in chart as well

index=music Job=*
| stats values(host) as Host values(Job) as Job, earliest(_time) as start_time latest(_time) as end values(x) as "File Name" by oid
| eval Duration=(end-start_time)
| eval end = strftime(end,"%m-%d-%Y %H:%M:%S")
| eval start_time = strftime(start_time,"%m-%d-%Y %H:%M:%S")
| rename opid as OPID, start_time as "Start Time", end as "End Time"
| chart list(Duration) as Duration by "Start Time"
| fieldformat Duration=tostring(round(Duration, 0), "Duration")

livehybrid · ‎02-16-2025

Is Job unique for each start/end?
If so I would suggest something like this:

index=music Job=*
| stats earliest(_time) as start_time, latest(_time) as end_time by Job
| eval Duration=(end_time-start_time)
``` The rest of your SPL here, such as ```
| chart values(Duration) as Duration by start_time

Please let me know how you get on and consider accepting this answer or adding karma this answer if it has helped.
Regards

Will

Ananya_23 · ‎02-17-2025

There are multiple job with each having unique start and end time

livehybrid · ‎02-17-2025

Ah, is there anything unique in a pair of events to split it by? Oh anything on the event to show is the start or end?

Please could you share some anonymised sample events for us to look at in order to help further?

Please let me know how you get on and consider accepting this answer or adding karma this answer if it has helped.
Regards

Will

Ananya_23 · ‎02-17-2025

Didnt get u but This is the query which i built up so far which is capturing time difference in HH:MM:SS in stats view but i want to display the same duration in chart as well

index=music Job=*
| stats values(host) as Host values(Job) as Job, earliest(_time) as start_time latest(_time) as end values(x) as "File Name" by oid
| eval Duration=(end-start_time)
| eval end = strftime(end,"%m-%d-%Y %H:%M:%S")
| eval start_time = strftime(start_time,"%m-%d-%Y %H:%M:%S")
| rename opid as OPID, start_time as "Start Time", end as "End Time"
| chart list(Duration) as Duration by "Start Time"
| fieldformat Duration=tostring(round(Duration, 0), "Duration")

Current stats output:

i want to display like this

How can I display a bar chart with human readable value of duration

chart

Classic dashboard

.conf25 Registration is OPEN!

Detecting Cross-Channel Fraud with Splunk

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Are you a member of the Splunk Community?