Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do I edit my timechart search to create a column chart of average duration values in a human readable format?

kboswell
New Member
‎11-04-2015 12:19 PM

I am trying to create a column chart that represents the average session time over a period of time with a 1 day span.

My current search string is: 

index=  ... | where duration<86400 | timechart span=1d avg(duration) as avg_duration | eval avg_duration=tostring(avg_duration, "duration")

This works to a point. It converts the seconds to a more readable format dd:hh:mm.000000 by using the tostring function, although I am also trying to figure out how to omit the trailing numbers from the values. It then charts them in the statistics tab as expected, however, when I go to the visualization tab and select column chart (or any other visualization for that matter), no data is displayed.

Sample statistics output is below:

        _time       avg_duration
1   2015-11-01  02:22:06.204878
2    2015-11-02 03:04:41.625000
3   2015-11-03  03:43:17.974903
4   2015-11-04  03:14:31.630522

Then the visualization displays no data. Again, the goal is to remove the numbers after the ., then chart the value avg_duration by day

I am assuming it is because it is looking for an integer value that I have now converted to a string to make more readable, but I do not want to chart the data in seconds.

Any help would be greatly appreciated.

Thanks,

Kevin

0 Karma
Reply

woodcock
Esteemed Legend
‎11-04-2015 01:33 PM

Try this:

index=  ... | where duration<86400 | timechart span=1d avg(duration) as avg_duration | rex mode=sed field=avg_duration "s/\.\d+//" | fieldformat avg_duration=tostring(avg_duration, "duration")
0 Karma
Reply

kboswell
New Member
‎11-05-2015 09:02 AM

Thanks for your response.

Sorry, I posted by follow up question in the wrong spot. Incase it doesn't show up properly, I will repost here.

Your search string fixed the format of avg_duration to remove the "extra" characters at the end of the time. The new results are below:
_time avg_duration
1 2015-11-01 02:22:06
2 2015-11-02 03:04:41
3 2015-11-03 03:43:17
4 2015-11-04 03:30:13
5 2015-11-05 03:29:03

However, the visualization graph is still not graphing the data. It builds the chart correctly with the correct labels for the x and y axis, but reports the value "0" for the actual data. Basically I want to graph the value of avg_duration over a period of time represented by _time.

Any other ideas?

Thanks,

Kevin

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...