- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to Add time in the Dashboard
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I have a query (e.g. "....... " | stats count, avg(...)) and after that I get as result
OwnColumn Count AVG
XYZ 20 40
As another column I would like to have the time of my request (last week, last 24 hours), depending on what I selected. And that in readable time.
Now I found the following command to show me the time.
| addinfo
| convert ctime(*)
| eval reportDate=info_min_time." to ".info_max_time
| table reportDate
| rex field=reportDate "(?<FirstPart>.*\d+:\d+:\d+).*\s+to\s+(?<SecondPart>.*\d+:\d+:\d+)"
| eval reportDate=FirstPart." to ".SecondPart
| fields reportDate
I customized it the query : "fields OwnColumn, reportDate, count, AVG..." so I can see my queries in the dashboard.
So requested would be
OwnColumn reportDate count AVG
XXX 02/21/2021 00:00:00 to 02/28/2021 00:00:00 20 40
However, I either get only the reportDate and all the others remain empty or it converts the data from the other queries also into a date, so that 43 (which was for example in count) then also becomes a date. How do I change the query to get what I want?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi @exchanger,
Function ctime(*) converts all field values. Change it to ctime(info_*_time).
| addinfo
| convert ctime(info_*_time) timeformat="%m/%d/%Y %H:%M:%S"
| eval reportDate=info_min_time." to ".info_max_time
| fields OwnColumn, reportDate, count, AVG
If this reply helps you, an upvote/like would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi @exchanger,
Function ctime(*) converts all field values. Change it to ctime(info_*_time).
| addinfo
| convert ctime(info_*_time) timeformat="%m/%d/%Y %H:%M:%S"
| eval reportDate=info_min_time." to ".info_max_time
| fields OwnColumn, reportDate, count, AVG
If this reply helps you, an upvote/like would be appreciated.
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
