Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

X-Axis duration in hours, not seconds

pashtet13
New Member
‎07-25-2016 08:47 AM

I am using the following search to get a total VPN connection time for users:

index=pan_logs eventtype=pan_system log_subtype=globalprotect sourcetype=pan:system
| transaction pan_gp_user startswith="globalprotectgateway-auth-succ" endswith="globalprotectgateway-logout-succ"
| stats sum(duration) by pan_gp_user
| sort by -sum(duration)

I am using Bar Chart and X-Axis is showing duration in seconds. Converting to hh:mm:ss format worked in a regular search, but not for Bar Chart. Any way I can make X-Axis to show time in readable format (hh:mm:ss), rather than in seconds?

alt text

Preview file
1 KB
0 Karma
Reply

somesoni2
Revered Legend
‎07-25-2016 02:15 PM

In bar chart, the x-axis shows the series values and it has to be numeric in order to be plotted as chart. Converting to hh:mm will make it as string and it will not work. For your case try this workaround (runanywhere sample)

    | gentimes start=-1 | eval temp="user1#2000 user2#1400 user3#1100 user4#1700" | table temp | makemv temp | mvexpand temp | rex field=temp "(?<user>\w+)#(?<series>\d+)" | table user series 
| eval duration=tostring(series,"duration") | chart values(series) over user by duration | addtotals | sort -Total | fields - Total

Replace first 2 lines with your current search and use stacked option in the bar chart visualization.

0 Karma
Reply

pashtet13
New Member
‎07-25-2016 02:48 PM

Thanks. I ended up using this search:

index=pan_logs eventtype=pan_system log_subtype=globalprotect sourcetype=pan:system 
| transaction pan_gp_user startswith="globalprotectgateway-auth-succ" endswith="globalprotectgateway-logout-succ"
| where duration>0
| eval event_duration=tostring(duration,"duration")
| chart values(duration) over pan_gp_user by event_duration
| addtotals
| sort -Total
| fields - Total

Events did stack up together, but X-Axis is still in seconds

0 Karma
Reply

sundareshr
Legend
‎07-25-2016 09:03 AM

I don't believe you can change the format of x-axis for a bar chart t a string value, just like you cannot change the format of y-axis on a column chart.

0 Karma
Reply

woodcock
Esteemed Legend
‎07-25-2016 09:45 AM

That is the beauty of fieldformat; it does not change the value.

0 Karma
Reply

woodcock
Esteemed Legend
‎07-25-2016 08:58 AM

Try this:

index=pan_logs eventtype=pan_system log_subtype=globalprotect sourcetype=pan:system
| transaction pan_gp_user startswith="globalprotectgateway-auth-succ" endswith="globalprotectgateway-logout-succ" 
| stats sum(duration) AS duration BY pan_gp_user
| sort by -duration | fieldformat duration=tostring(duration, "duration")
0 Karma
Reply

pashtet13
New Member
‎07-25-2016 12:53 PM

Thanks. I already tried fieldformat before asking this question. It does not change the chart at all

0 Karma
Reply

woodcock
Esteemed Legend
‎07-27-2016 07:30 AM

You are right; I should have tested. I think that it is impossible with native dashboarding facilities.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...