Splunk Search

How can I use a Chart Overlay with an epoch field and convert it to a human readable format?

felipesewaybric
Contributor

How can I use Chart Overlay with an epoch field converting the same in time?

I have 2 fields, one is Intevalo with epoch time, and the other called Tempo Limite with the epoch turned into time with 'duration'.

How can I set the chart overlay to time, like 01:22:04 or something like that.

0 Karma
1 Solution

aljohnson_splun
Splunk Employee
Splunk Employee

EDITED:

I don't know if you can do this. Every attempt I've made at changing this value into a string breaks the overlay.

Maybe the closest thing is just converting those seconds to minutes...

... | eval duration = round(duration/60, 2)

View solution in original post

0 Karma

aljohnson_splun
Splunk Employee
Splunk Employee

EDITED:

I don't know if you can do this. Every attempt I've made at changing this value into a string breaks the overlay.

Maybe the closest thing is just converting those seconds to minutes...

... | eval duration = round(duration/60, 2)
0 Karma

felipesewaybric
Contributor

That works only in the table, but not with chart overlay

0 Karma

aljohnson_splun
Splunk Employee
Splunk Employee

Did you try selecting formatted_time in the chart overlay field input in the visualization formatting drop down menu ? It should work for both.

0 Karma

felipesewaybric
Contributor

yes, and wont work, only apears in the epoch time, example:

with formatted_time -> 02:08:00 wont show the line
without formatted_time -> 18480.639752 show the line

0 Karma

aljohnson_splun
Splunk Employee
Splunk Employee

Hmm. Can you edit your original question - please add your search and talk about what other values are present (like, whats on the x axis)

0 Karma

felipesewaybric
Contributor

alt text

aljohnson_splun
Splunk Employee
Splunk Employee

I think see the problem. As for the dentro do tempo medio and Intervalo fields - those are numbers of seconds, right ? That is pretty different from epoch time.

So are you just trying to convert those seconds into hours, minutes? It sounded in you original question like you knew how to use eval to ge duration

... | eval Intervalo = tostring(Intervalo, "duration")

Or you could even try using fieldformat instead of eval, if need be ?


0 Karma

felipesewaybric
Contributor

i try already, but what i need is to show the time in the red line when mouseover, now, when i mouse over the red live Intervalo, it show only the seconds, like 1420.882232.

I know how to convert, the problemn is when is already converted, the red line disapear.

0 Karma

aljohnson_splun
Splunk Employee
Splunk Employee

What about something even more simple?

| eval duration = round(Intervalo/60, 2)

That would just be minutes instead of seconds.

0 Karma

felipesewaybric
Contributor

there is a way to set to hours and minutes?

0 Karma

aljohnson_splun
Splunk Employee
Splunk Employee

I think adding a string in there, in this case, the colon, will break the chart-ability of the field.

0 Karma

felipesewaybric
Contributor

True, this is how it ends:
| eval "Media Dia em Minutos" = round(duration/60, 2)

Thanks for the help.

0 Karma

felipesewaybric
Contributor

The chart.overlay (Intervalo) only show when is in the epoch format, but i need something like %T when you mouse over in the overlay

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...