There is a way to do this. the first question is: in your data, is the _time field of the event equal to the processing time (処理時間)?
if it is, then you can probably do something like:
|timechart count(something) - this charts x values over y time axis.
| eval _time = strftime(_time, "%H:%M:%S") - this takes the time field and displays just the hours, minutes, and deconds, seperated by ':' symbols.
If the _time field of the event is NOT the same as the Processing Time field, it is a little harder to guess at the answer but should be similiar:
| eval _time = strptime(処理時間, "%H:%M:%S") - this turns the human readable time into computer readable time
|timechart count(something) - this charts x values over y time axis.
If you are able to share a single event i could probably do better:
【日本語訳】
これを行う方法があります。まず、質問ですが、イベントの_timeフィールドは処理時間と同じですか?
もしそうであれば、おそらく以下のようにできます:
|timechart count(something) - これはx軸を時間軸に沿ってチャート化します。
| eval _time = strftime(_time, "%H:%M:%S") - これにより、時間フィールドが、時、分、秒で表示されます。
イベントの_timeフィールドが処理時間フィールドと異なる場合は、少し推測する必要がありますが、同様になるはずです:
| eval _time = strptime(処理時間, "%H:%M:%S") - これにより、人間が読み取れる時間がコンピュータが読み取れる時間に変換されます。
|timechart count(something) - これはx軸を時間軸に沿ってチャート化します。
もし単一のイベントを共有できる場合は、よりよくできるかもしれません。
Translated by ChatGPT.
アドバイスありがとうございます。
>There is a way to do this. the first question is: in your data, is the _time field of the event equal to the processing time (処理時間)?
いいえ、異なります。
データの例としては
| makeresults
| eval _raw="baseDate,start,end,procTime
2023/05/01,2023/05/01 09:00:14,2023/05/01 09:03:17,183
2023/05/01,2023/05/01 09:03:17,2023/05/01 09:04:57,100
2023/05/01,2023/05/01 09:04:57,2023/05/01 09:08:48,231
2023/05/02,2023/05/02 09:00:11,2023/05/02 09:03:18,187
2023/05/02,2023/05/02 09:03:18,2023/05/02 09:05:31,133
2023/05/02,2023/05/02 09:05:31,2023/05/02 09:09:14,223
"
| multikv forceheader=1
| chart sum(procTiem) as pTime by baseDate
というデータに対して、Y軸となる pTime を "HH:MM:SS"形式にしたいです。
--------------------
[English translation by Google translation]
Thank you for your advice.
>There is a way to do this. the first question is: in your data, is the _time field of the event equal to the processing time?
No, it's different.
An example of data is
| makeresults
| eval _raw="baseDate,start,end,procTime
2023/05/01,2023/05/01 09:00:14,2023/05/01 09:03:17,183
2023/05/01,2023/05/01 09:03:17,2023/05/01 09:04:57,100
2023/05/01,2023/05/01 09:04:57,2023/05/01 09:08:48,231
2023/05/02,2023/05/02 09:00:11,2023/05/02 09:03:18,187
2023/05/02,2023/05/02 09:03:18,2023/05/02 09:05:31,133
2023/05/02,2023/05/02 09:05:31,2023/05/02 09:09:14,223
"
| multikv forceheader=1
| chart sum(procTiem) as pTime by baseDate
For the data, I want to format pTime, which is the Y axis, in "HH:MM:SS" format.
Thank you for the sample data set. If I am understanding you correctly, all you need is this:
| eval pTimeFull=tostring(pTime, "duration")
the full example looks like this:
| makeresults
| eval _raw="baseDate,start,end,procTime
2023/05/01,2023/05/01 09:00:14,2023/05/01 09:03:17,183
2023/05/01,2023/05/01 09:03:17,2023/05/01 09:04:57,100
2023/05/01,2023/05/01 09:04:57,2023/05/01 09:08:48,231
2023/05/02,2023/05/02 09:00:11,2023/05/02 09:03:18,187
2023/05/02,2023/05/02 09:03:18,2023/05/02 09:05:31,133
2023/05/02,2023/05/02 09:05:31,2023/05/02 09:09:14,223
"
| multikv forceheader=1
| chart sum(procTime) as pTime by baseDate
| eval pTime=tostring(pTime, "duration")
Splunk has a built in toString method that converts seconds to human readable H:M:S format.
Was that able to solve your issue?
更なるアドバイスありがとうございます。
「eval pTime=tostring(pTime, "duration")」を加えますと
統計情報のタブでは"HH:MM:SS"形式で出力されます。
しかし、視覚エフェクト(Line ChartやColumn Chart)では
Y軸は"HH:MM:SS"形式で出力されないです。
--------------------------------------------------
[English translation by Google translation]
Thanks for any further advice.
If you add "eval pTime=tostring(pTime, "duration")"
In the statistics tab, it is output in "HH:MM:SS" format.
But in visualizations (Line Chart and Column Chart)
The Y-axis is not output in "HH:MM:SS" format...
--------------------------------------------------
Thank you for sharing that, I understand the problem. However, I have done a reasonably thorough review of the internet and while many people have this same question, I was not able to find anyone who had solved it in a way I could reproduce.
What if we changed minutes to hours? it is not ideal, because you end up with decimal hour units, 8.6 hours etc, but it is more intuitive perhaps than minutes and it is easily possible. You could waste many hours putting together an alternative when this gets you most of the way.
| makeresults
| eval _raw="baseDate,start,end,procTime 2023/05/01,2023/05/01 09:00:14,2023/05/01 09:03:17,183 2023/05/01,2023/05/01 09:03:17,2023/05/01 09:04:57,100 2023/05/01,2023/05/01 09:04:57,2023/05/01 09:08:48,231 2023/05/02,2023/05/02 09:00:11,2023/05/02 09:03:18,187 2023/05/02,2023/05/02 09:03:18,2023/05/02 09:05:31,133 2023/05/02,2023/05/02 09:05:31,2023/05/02 09:09:14,223 "
| multikv forceheader=1
| eval pHours = procTime/60
| chart sum(pHours) as Hours by baseDate
| eval Hours = round(Hours,1)
I am sorry I wasn't able to be of more help. Splunk tempts us with how much it CAN do, but it still has many things it cannot.
それを共有していただきありがとうございます、問題は理解しました。しかし、インターネットをかなり徹底的に調査したにもかかわらず、この同じ質問を持つ多くの人々がいる一方で、私が再現できる方法で解決した人を見つけることはできませんでした。
代替案として、分を時間に変更するとどうなるでしょうか?残念ながら、これはあまり理想的ではありません。なぜなら、あなたは小数点以下の時間単位、例えば8.6時間などになってしまうからです。しかし、それは分よりも直感的かもしれませんし、それは容易に可能です。あなたはこれが大部分を満たすときに、代わりに多くの時間を組み立てることに時間を浪費するかもしれません。
もっと役に立てずに申し訳ありません。Splunkはその能力を示唆し、多くのことができると示しますが、まだできないことも多くあります。