Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Use a field as time in a chart for a specific search?

mattdavid
New Member
‎03-13-2012 01:17 PM

Hello,

I am creating searches/charts for multiple events in a single log file. For most of events, the default time field is what I want to graph the timechart against. However, for a specific case, the actual time I want to graph against is represented in milliseconds in a field "time". I want to be able to chart this as my x-axis, displayed properly as a date would be, but I have no idea how this can be done.

Apologies if this is a simple/obvious answer, but I haven't found anything in the chart/timechart documentation pages.

Thank you.

Tags (3)
0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎03-13-2012 03:09 PM

You could try:

... | eval _time=strptime("%s%3N",time) | chart max(duration) by _time
Reply

mattdavid
New Member
‎03-13-2012 04:11 PM

Hmm, I couldn't get strptime to work properly to format my milliseconds format, which actually should have been strptime(time, "%3N") or strptime(time, "%Q").

However, using eval _time=... gave me an idea to reformat the time being logged in seconds (the format of _time for all log entries) and simply use eval _time=time, which seems to have worked perfectly.

0 Karma
Reply

Simeon
Splunk Employee
Splunk Employee
‎03-13-2012 01:28 PM

You can do this via xyseries:

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Xyseries

There are other methods to get the type of chart you want, but this is the first that comes to mind.

0 Karma
Reply

Simeon
Splunk Employee
Splunk Employee
‎03-13-2012 04:54 PM

Gerald has the right answer... I thought you wanted to leverage a field called time to graph as one of the axis. You are simply asking to rework the time field and how it is displayed.

0 Karma
Reply

mattdavid
New Member
‎03-13-2012 02:39 PM

Sorry, I think I was being a little roundabout in my description.

I'm able to use the field 'time' in the x-axis of chart. My issue I'm trying to resolve is that the time displays in milliseconds, and I want it converted to a readable date/time format, if this is possible.

My simple chart definition is as follows: chart max(duration) over time by host

I'm not too sure how an xyseries would improve upon this situation.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...