Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Timeline App duration problem

MaryvonneMB
Path Finder
‎05-11-2016 02:10 AM

Hi everyone!

I'm trying to use Timeline module but I have some trouble with the duration:
Note: I'm working with a lookup file

So, I have start and end contract date for some object, and obviously, I would like to see on a timeline when a contract start and end.
I do the following:
convert timeformat=%Y-%m-%d mktime(timeDate) mktime(endDate) | eval diff=(endDate-timeDate) |table timeDate, "Contract #", diff
I have a timeline but, for example: I have a contract starting at 2009-10-01 and ending at 2014-10-31. The diff value in seconds is correct but, on the timeline it represent only 1day. I don't understand where the problem is. (By the way, every starting date is correctly put on the timeline

Thanks in advance

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

MaryvonneMB
Path Finder
‎05-12-2016 06:32 AM

In fact, a collegue help me and find that we have to do the following: eval diff=(endDate-timeDate) * 1000
With this multiplication the results are well design. But he doesn't know why we have to do this. If anyone has an idea, the answer will be welcome!

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

MaryvonneMB
Path Finder
‎05-12-2016 06:32 AM

In fact, a collegue help me and find that we have to do the following: eval diff=(endDate-timeDate) * 1000
With this multiplication the results are well design. But he doesn't know why we have to do this. If anyone has an idea, the answer will be welcome!

0 Karma
Reply
Solved! Jump to solution

chchu_splunk
Splunk Employee
Splunk Employee
‎01-25-2019 07:05 AM

Late answer to an old post.

I had the same issue and it appears that the duration requires the resulting field in milliseconds rather than seconds, so multiplying your result by 1000 makes it work.

https://docs.splunk.com/Documentation/Timeline/1.3.0/TimelineViz/TimelineSearchDataFormat

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎05-11-2016 09:22 AM

What visualization are you using?

0 Karma
Reply
Solved! Jump to solution

MaryvonneMB
Path Finder
‎05-11-2016 11:56 PM

I'm using the Timeline - Custom Vizualisation App from Splunk 6.4

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...