Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Use a field as time in a chart for a specific search?

mattdavid
New Member
‎03-13-2012 01:17 PM

Hello,

I am creating searches/charts for multiple events in a single log file. For most of events, the default time field is what I want to graph the timechart against. However, for a specific case, the actual time I want to graph against is represented in milliseconds in a field "time". I want to be able to chart this as my x-axis, displayed properly as a date would be, but I have no idea how this can be done.

Apologies if this is a simple/obvious answer, but I haven't found anything in the chart/timechart documentation pages.

Thank you.

Tags (3)
0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎03-13-2012 03:09 PM

You could try:

... | eval _time=strptime("%s%3N",time) | chart max(duration) by _time
Reply

mattdavid
New Member
‎03-13-2012 04:11 PM

Hmm, I couldn't get strptime to work properly to format my milliseconds format, which actually should have been strptime(time, "%3N") or strptime(time, "%Q").

However, using eval _time=... gave me an idea to reformat the time being logged in seconds (the format of _time for all log entries) and simply use eval _time=time, which seems to have worked perfectly.

0 Karma
Reply

Simeon
Splunk Employee
Splunk Employee
‎03-13-2012 01:28 PM

You can do this via xyseries:

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Xyseries

There are other methods to get the type of chart you want, but this is the first that comes to mind.

0 Karma
Reply

Simeon
Splunk Employee
Splunk Employee
‎03-13-2012 04:54 PM

Gerald has the right answer... I thought you wanted to leverage a field called time to graph as one of the axis. You are simply asking to rework the time field and how it is displayed.

0 Karma
Reply

mattdavid
New Member
‎03-13-2012 02:39 PM

Sorry, I think I was being a little roundabout in my description.

I'm able to use the field 'time' in the x-axis of chart. My issue I'm trying to resolve is that the time displays in milliseconds, and I want it converted to a readable date/time format, if this is possible.

My simple chart definition is as follows: chart max(duration) over time by host

I'm not too sure how an xyseries would improve upon this situation.

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...