eventtype=cv "Source Client"=* "Destination Client"=slc-p-res* OR dab* Duration=* | convert ctime(_time) | convert dur2sec(Duration) AS Durationsec | eval Durationhrs=round(Durationsec/60/60,2) | fields - "Destination Client" | table _time Durationhrs
Returns a beautiful table with time and duration in hours.
I want to have a line chart that shows time as the X axis, and duration as the Y axis, however
eventtype=cv "Source Client"=* "Destination Client"=slc-p-res* OR dab* Duration=* | convert ctime(_time) | convert dur2sec(Duration) AS Durationsec | eval Durationhrs=round(Durationsec/60/60,2) | fields - "Destination Client" | timechart span=1d sum(Durationhrs)
Returns only the time stamp, and the Duration column is empty.
What am I doing wrong?
Take out convert ctime(_time) from your search
Timechart expects the time field in epoch format not ASCII.
Take out convert ctime(_time) from your search
Timechart expects the time field in epoch format not ASCII.