This is a table I created using the timechart command. Now, I am trying to make a line graph with this information with date on the x-axis and completion time for the y-axis. If I am able to solve that, I would love to add extra lines to the line graph.
<searchString>host=... source = ... Position="Finished" AND Report | timechart latest(TIME) as Completion_Time</searchString>
<earliestTime>-168h</earliestTime>
<latestTime>$timetoken.latest$</latestTime>
This is inside my dashboard atm. I have a drop down for time at the top.
The Completion_Time field is string value and as far as I know, strings can't be plotted in Y-axis (you need numerical values). Workaround, you can convert your Completion_Time to decimal number like HH.MM
and plot them.
That is what I have right now... So I want to add a second line which also has SOMESTRINGTOLOOKFOR and get the exact same data.. The completion_Time
So your just want another line with same name as SOMESTRINGTOLOOKFOR and have same values as Completion_Time?
It will be a different string i would be looking for.. but yeah looking for completion time too.. When I was looking online they use a comma in time chart but im not sure how I could make it work
So I would want the exact same thing but the SOMESTRINGTOLOOKFOR has an unique completion time. So it would be nice to have both.
If you want to keep your current results and add Completion_Time as another row for SOMESTRINGLOOKFOR, then try something like this
host=.. source =.. | eval NewTIME=if(match(_raw,".*SOMESTRINGTOLOOKFOR.*"),TIME,null()) | timechart latest(*TIME) as *Completion_Time | eval Completion_Time=tonumber(replace(Completion_Time,"(\d+):(\d+):(\d+)","\1.\2")) | eval NewCompletion_Time=tonumber(replace(NewCompletion_Time,"(\d+):(\d+):(\d+)","\1.\2"))
Ill try it out now. Wow I didnt know you would need to add taht much
OH! I see.. What was the command again? str..() lol.
| eval Completion_Time=tonumber(replace(Completion_Time,"(\d+):(\d+):(\d+)","\1.\2"))
Whats the 1 and 2 for?
In replace, I'm clubbing your data in 3 parts (values inside the brackets), and replacing 3 parts named 1,2,3 from current format of 1:2:3 to 1.2
Would you know how to add a second line?
host=.. source =.. SOMESTRINGTOLOOKFOR | timechart latest(TIME) as Completion_Time | eval Completion_Time=tonumber(replace(Completion_Time,"(\d+):(\d+):(\d+)","\1.\2"))