Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why is the field format not working on our timechart search?

georgiahurst
Engager
‎12-19-2018 07:57 PM

I'm trying to plot the duration open for some of my data. I initially converted the open and close times to UNIX data forms, then find the difference, then create a timechart for using the average duration open per day, for each specific error. This is up until the final pipe in the plot below and plots fine.

The issues come when I try and use fieldformat. Instead of the y-axis being in UNIX time format, I want it to be in days, hours, minutes and seconds formats and it will not plot that way. I have tried to use the tostring and strptime formats (see below), however it does not plot as I want.

This part is all good

index="special_index" sourcetype=* | 
eval TimeOpenedAt = strptime('Data.opened_at', "%Y-%m-%d %H:%M:%S")| 
eval TimeClosedAt = strptime('Data.closed_at', "%Y-%m-%d %H:%M:%S") | 
eval TimeToCloseUNIX = TimeClosedAt - TimeOpenedAt | 
bin _time span=1d  | 
timechart avg(TimeToCloseUNIX) as TimeToCloseUNIXAvg by ErrorType |

What I have tried

fieldformat TimeToCloseUNIXAvg=tostring(TimeToCloseUNIXAvg,"duration")

and

fieldformat TimeToCloseUNIXAvg=strftime(TimeToCloseUNIXAvg,"+%j.%H:%M:%S")

Any help would be gratefully appreciated!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎12-20-2018 08:25 AM

The Line Chart visualization can only plot numbers on the Y-axis. If you think about it, it totally makes sense. IMHO, it would be nice if it supported fieldformat so that when it showed the values to use (at least when hovering), the could be formatted differently.
Vote here:
https://ideas.splunk.com/ideas/EID-I-97

View solution in original post

Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎12-20-2018 08:25 AM

The Line Chart visualization can only plot numbers on the Y-axis. If you think about it, it totally makes sense. IMHO, it would be nice if it supported fieldformat so that when it showed the values to use (at least when hovering), the could be formatted differently.
Vote here:
https://ideas.splunk.com/ideas/EID-I-97

Reply
Get Updates on the Splunk Community!

Observability | How to Think About Instrumentation Overhead (White Paper)

Novice observability practitioners are often overly obsessed with performance. They might approach ...

Cloud Platform | Get Resiliency in the Cloud Event (Register Now!)

IDC Report: Enterprises Gain Higher Efficiency and Resiliency With Migration to Cloud  Today many enterprises ...

The Great Resilience Quest: 10th Leaderboard Update

The tenth leaderboard update (11.23-12.05) for The Great Resilience Quest is out >> As our brave ...