Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to plot duration on y-axis?

splunkIT
Splunk Employee
Splunk Employee
‎04-14-2015 12:35 PM

I have a simple search like this:



index=main sourcetype=test | table date_mday, Duration

Note: the values for Duration are in time format (hh:mm:ss)

When I create a line chart, nothing appears on the chart.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Flynt
Splunk Employee
Splunk Employee
‎04-14-2015 12:40 PM

Duration is a string so this would have to be converted in order to plot correctly.

One way to do this is convert the duration to seconds and then plot from there. For instance if your results return a Duration field (along with date_mday)

yoursearch |dedup date_mday| table Duration, date_mday|rex field=Duration "(?<hour>^.+):(?<min>.+):(?<sec>.+$)"|eval hour=hour*60*60|eval min=min*60|eval Duration=round(((hour+min+sec)/60),2)|table date_mday, Duration|sort + date_mday

This should chart the Duration in minutes (that's where our /60 in the last eval statement comes in) on the y axis over the date_mday on the x axis

View solution in original post

Preview file
61 KB
Reply
Solved! Jump to solution

Flynt
Splunk Employee
Splunk Employee
‎04-14-2015 12:58 PM

Err. You could also do it simply with Convert- Sorry didn't think about this one until I looked at all those evals. dur2sec will also take into account days if they exist in the Duration field.

yoursearch |dedup date_mday|convert dur2sec(Duration) |table date_mday, Duration|eval Duration=round(((Duration)/60),2)|sort + date_mday
Reply
Solved! Jump to solution
Solution

Flynt
Splunk Employee
Splunk Employee
‎04-14-2015 12:40 PM

Duration is a string so this would have to be converted in order to plot correctly.

One way to do this is convert the duration to seconds and then plot from there. For instance if your results return a Duration field (along with date_mday)

yoursearch |dedup date_mday| table Duration, date_mday|rex field=Duration "(?<hour>^.+):(?<min>.+):(?<sec>.+$)"|eval hour=hour*60*60|eval min=min*60|eval Duration=round(((hour+min+sec)/60),2)|table date_mday, Duration|sort + date_mday

This should chart the Duration in minutes (that's where our /60 in the last eval statement comes in) on the y axis over the date_mday on the x axis

Preview file
61 KB
Reply
Solved! Jump to solution

splunkIT
Splunk Employee
Splunk Employee
‎04-14-2015 12:51 PM

Yup. @Flynt's suggestion is working for me. You rock, dude 🙂
I did remove the first table command just to tidy up things a bit:



yoursearch |dedup date_mday| rex field=Duration "(?^.+):(?.+):(?.+$)"|eval hour=hour*60*60|eval min=min*60|eval Duration=round(((hour+min+sec)/60),2)|table date_mday, Duration|sort + date_mday

Reply
Solved! Jump to solution

Flynt
Splunk Employee
Splunk Employee
‎04-14-2015 01:02 PM

My second answer is actually cleaner and more effective.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...

Monitoring AI Agents with Splunk Observability Cloud

Let’s say I’m running a travel planning AI app in production. A user asks for three concise hotel options in ...