How to format field values of a varying field nam...

auaave · ‎02-22-2018

Hey Guys,

I have events with duration (seconds), then I chart the sum of duration per week. So now, the field names are the week numbers and the values are the duration. Formatting to[h%:m%:s%] converts my duration to string that is why I can't format the duration before charting.

How can I format the duration now to [h%:m%:s%] when my field names (week number) are changing every week?

| bin _time span=1w | convert timeformat=("%V") ctime(_time) 
| chart sum(DURATION) as duration over DESCRIPTION by _time useother=f 
| addtotals 
| sort Total desc limit=10

Thank you!

mayurr98 · ‎02-22-2018

hey you can try something like this

| bin _time span=1w 
| convert timeformat=("%V") ctime(_time) 
| chart sum(DURATION) as duration over DESCRIPTION by _time useother=f 
| addtotals 
| sort Total desc limit=10 
| foreach * 
    [ eval <<FIELD>>=if("<<FIELD>>" == "DESCRIPTION",DESCRIPTION,tostring('<<FIELD>>',"duration")) ]

let me know if this helps!

How to format field values of a varying field name?

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

Are you a member of the Splunk Community?

How to format field values of a varying field name?

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...