Hello,
I extracted the time with the variable TIME. I am trying to create a line graph where it shows the latest time. My search right now is
host=... source=... | timechart max(TIME) by Date
However, my y-axis' values are odd. It goes from 7,000 to 10,000, but the x-axis is correct with the dates.
Assuming that TIME
is actually duration, you can use the tostring
to convert to seconds
like this:
host=... source= | eval DURATION=tostring(TIME,"duration") | timechart max(DURATION) by Date
When I do verbose events show up but no visualizations.
I dont get any results with your line. When I remove timechart there is events. But once I add timechart max(duration) by date nothing vcomes up
In What format you're extracting the TIME value? Can you run something like this and share result?
host=... source=... | head 1 | table TIME
Its really odd that the table is perfect, but the line graph is always wrong
It could be because you're plotting string values in Y-axis. You want to plot the max time of the day in HH:MM:SS format for each day (last 7 day)?
Oh they are string values?
I would need your full current query to confirm the same..
I can send you a picture of the table that comes up
That will work too. somesh.soni@gmail.com
Look at the second email instead
Yes, that's the work around, instead of HH:MM:SS in string format, we can convert it to HH.MM (HH dot MM) i.e. decimal value which can be plotted . I know it would not look good for Tables but decent work around for graphs. Do you intent to put this in dashboard??
If this workaround is acceptable to you, I can tell the option to convert your already existing TIME field to decimal value.
Instead of _time cant I just use TIME?
Your TIME is again a string right? So, to get a decimal out of it OR to convert it to decimal, you can try something like this
| eval TIME=tonumber(replace(TIME ,"^(\d+):(\d+)",\1.\2")) | timechart max(TIME) as TIME by Date
Try query like this and let me know if TIME and TIME_decimal are similar (e.g. 02:47:04 will show as 2.47)
your current search giving your _time Date TIME fields | eval TIME_decimal=tonumber(replace(TIME,"(\d+):(\d+):(\d+)","\1.\2")) | table _time TIME TIME_decimal
And if this looks correct try this
your current search giving your _time Date TIME fields | eval TIME_decimal=tonumber(replace(TIME,"(\d+):(\d+):(\d+)","\1.\2")) | timechart max(TIME_decimal) as TIME by Date
yeah into a dashboard. But I feel the values are offf.. IF you look at the email I sent you the values should be like 2.3 1.5 if anything.. But isntead I am get nines
sent the picture!
As suspected, there are string values (propably output of command like | eval TIME=strftime(_time ,"%H:%M:%S")
. The workaround that you can try would be like this
| eval TIME=tonumber(strftime(_time ,"%H.%M")) | timechart max(TIME) as TIME by Date
I am trying to have..
y-axis have a range of times
x-axis have dates
then it will be plotting the latest time for each date.