How to format field values of a varying field nam...

auaave · ‎02-22-2018

Hey Guys,

I have events with duration (seconds), then I chart the sum of duration per week. So now, the field names are the week numbers and the values are the duration. Formatting to[h%:m%:s%] converts my duration to string that is why I can't format the duration before charting.

How can I format the duration now to [h%:m%:s%] when my field names (week number) are changing every week?

| bin _time span=1w | convert timeformat=("%V") ctime(_time) 
| chart sum(DURATION) as duration over DESCRIPTION by _time useother=f 
| addtotals 
| sort Total desc limit=10

Thank you!

mayurr98 · ‎02-22-2018

hey you can try something like this

| bin _time span=1w 
| convert timeformat=("%V") ctime(_time) 
| chart sum(DURATION) as duration over DESCRIPTION by _time useother=f 
| addtotals 
| sort Total desc limit=10 
| foreach * 
    [ eval <<FIELD>>=if("<<FIELD>>" == "DESCRIPTION",DESCRIPTION,tostring('<<FIELD>>',"duration")) ]

let me know if this helps!

How to format field values of a varying field name?

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Splunk MCP & Agentic AI: Machine Data Without Limits

Join the Conversation

How to format field values of a varying field name?

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Splunk MCP & Agentic AI: Machine Data Without Limits