I extracted the time with the variable TIME. I am trying to create a line graph where it shows the latest time. My search right now is
host=... source=... | timechart max(TIME) by Date
However, my y-axis' values are odd. It goes from 7,000 to 10,000, but the x-axis is correct with the dates.
TIME is actually duration, you can use the
tostring to convert to
seconds like this:
host=... source= | eval DURATION=tostring(TIME,"duration") | timechart max(DURATION) by Date
Yes, that's the work around, instead of HH:MM:SS in string format, we can convert it to HH.MM (HH dot MM) i.e. decimal value which can be plotted . I know it would not look good for Tables but decent work around for graphs. Do you intent to put this in dashboard??
If this workaround is acceptable to you, I can tell the option to convert your already existing TIME field to decimal value.
Your TIME is again a string right? So, to get a decimal out of it OR to convert it to decimal, you can try something like this
| eval TIME=tonumber(replace(TIME ,"^(\d+):(\d+)",\1.\2")) | timechart max(TIME) as TIME by Date
Try query like this and let me know if TIME and TIME_decimal are similar (e.g. 02:47:04 will show as 2.47)
your current search giving your _time Date TIME fields | eval TIME_decimal=tonumber(replace(TIME,"(\d+):(\d+):(\d+)","\1.\2")) | table _time TIME TIME_decimal
And if this looks correct try this
your current search giving your _time Date TIME fields | eval TIME_decimal=tonumber(replace(TIME,"(\d+):(\d+):(\d+)","\1.\2")) | timechart max(TIME_decimal) as TIME by Date
As suspected, there are string values (propably output of command like
| eval TIME=strftime(_time ,"%H:%M:%S") . The workaround that you can try would be like this
| eval TIME=tonumber(strftime(_time ,"%H.%M")) | timechart max(TIME) as TIME by Date