Re: How to format field values of a varying field...

auaave · ‎02-22-2018

Hey Guys,

I have events with duration (seconds), then I chart the sum of duration per week. So now, the field names are the week numbers and the values are the duration. Formatting to[h%:m%:s%] converts my duration to string that is why I can't format the duration before charting.

How can I format the duration now to [h%:m%:s%] when my field names (week number) are changing every week?

| bin _time span=1w | convert timeformat=("%V") ctime(_time) 
| chart sum(DURATION) as duration over DESCRIPTION by _time useother=f 
| addtotals 
| sort Total desc limit=10

Thank you!

mayurr98 · ‎02-22-2018

hey you can try something like this

| bin _time span=1w 
| convert timeformat=("%V") ctime(_time) 
| chart sum(DURATION) as duration over DESCRIPTION by _time useother=f 
| addtotals 
| sort Total desc limit=10 
| foreach * 
    [ eval <<FIELD>>=if("<<FIELD>>" == "DESCRIPTION",DESCRIPTION,tostring('<<FIELD>>',"duration")) ]

let me know if this helps!

How to format field values of a varying field name?

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

Join the Conversation

How to format field values of a varying field name?

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey