Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

X-Axis duration in hours, not seconds

pashtet13
New Member
‎07-25-2016 08:47 AM

I am using the following search to get a total VPN connection time for users:

index=pan_logs eventtype=pan_system log_subtype=globalprotect sourcetype=pan:system
| transaction pan_gp_user startswith="globalprotectgateway-auth-succ" endswith="globalprotectgateway-logout-succ"
| stats sum(duration) by pan_gp_user
| sort by -sum(duration)

I am using Bar Chart and X-Axis is showing duration in seconds. Converting to hh:mm:ss format worked in a regular search, but not for Bar Chart. Any way I can make X-Axis to show time in readable format (hh:mm:ss), rather than in seconds?

alt text

Preview file
34 KB
0 Karma
Reply

somesoni2
Revered Legend
‎07-25-2016 02:15 PM

In bar chart, the x-axis shows the series values and it has to be numeric in order to be plotted as chart. Converting to hh:mm will make it as string and it will not work. For your case try this workaround (runanywhere sample)

    | gentimes start=-1 | eval temp="user1#2000 user2#1400 user3#1100 user4#1700" | table temp | makemv temp | mvexpand temp | rex field=temp "(?<user>\w+)#(?<series>\d+)" | table user series 
| eval duration=tostring(series,"duration") | chart values(series) over user by duration | addtotals | sort -Total | fields - Total

Replace first 2 lines with your current search and use stacked option in the bar chart visualization.

0 Karma
Reply

pashtet13
New Member
‎07-25-2016 02:48 PM

Thanks. I ended up using this search:

index=pan_logs eventtype=pan_system log_subtype=globalprotect sourcetype=pan:system 
| transaction pan_gp_user startswith="globalprotectgateway-auth-succ" endswith="globalprotectgateway-logout-succ"
| where duration>0
| eval event_duration=tostring(duration,"duration")
| chart values(duration) over pan_gp_user by event_duration
| addtotals
| sort -Total
| fields - Total

Events did stack up together, but X-Axis is still in seconds

0 Karma
Reply

sundareshr
Legend
‎07-25-2016 09:03 AM

I don't believe you can change the format of x-axis for a bar chart t a string value, just like you cannot change the format of y-axis on a column chart.

0 Karma
Reply

woodcock
Esteemed Legend
‎07-25-2016 09:45 AM

That is the beauty of fieldformat; it does not change the value.

0 Karma
Reply

woodcock
Esteemed Legend
‎07-25-2016 08:58 AM

Try this:

index=pan_logs eventtype=pan_system log_subtype=globalprotect sourcetype=pan:system
| transaction pan_gp_user startswith="globalprotectgateway-auth-succ" endswith="globalprotectgateway-logout-succ" 
| stats sum(duration) AS duration BY pan_gp_user
| sort by -duration | fieldformat duration=tostring(duration, "duration")
0 Karma
Reply

pashtet13
New Member
‎07-25-2016 12:53 PM

Thanks. I already tried fieldformat before asking this question. It does not change the chart at all

0 Karma
Reply

woodcock
Esteemed Legend
‎07-27-2016 07:30 AM

You are right; I should have tested. I think that it is impossible with native dashboarding facilities.

0 Karma
Reply
Get Updates on the Splunk Community!

CX Day is Coming!

Customer Experience (CX) Day is on October 7th!! We're so excited to bring back another day full of wonderful ...

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

The Big One: Splunk 10 is Here!  The moment many of you have been waiting for has arrived! We are thrilled to ...

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console

Today, we’re excited to announce the release of a brand new AI assistant usage dashboard in Cloud Monitoring ...