Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

timechart does not dis play the error

splunkpoornima
Communicator
‎11-21-2012 11:34 PM

hi all ,

I used the below query ..but i am not getting the timechart its shows

field '_time' should have numerical values

| savedsearch "searchduration" | join TaskBP [ | savedsearch "searchavgduration" ]|eval
Difference=duration-Avgduration|where (Difference>-90 AND Difference<90)| table _time TaskBP Difference | timechart count(Difference) by TaskBP

i have used the tonumber and auto function ..still i am getting error

Thanks

Poornima

Tags (1)
0 Karma
Reply

Ayn
Legend
‎11-22-2012 01:28 AM

What's the idea of having the table command there?! That's what's causing your error. table will implicitly convert the _time value to something humanly readable, which is incompatible with what timechart expects.

Reply

Drainy
Champion
‎11-22-2012 03:50 AM

Splunkpoornima, please please please stop reposting questions, let it flow and grow within the one question! http://splunk-base.splunk.com/answers/66695/timechart-errror It just confuses things if others search for answers in the future and people trying to help won't know what you've already been told!

0 Karma
Reply

Ayn
Legend
‎11-22-2012 02:00 AM

There you go - your stats at the end of the second saved search will remove the _time field altogether.

Reply

splunkpoornima
Communicator
‎11-22-2012 01:58 AM

savedsearch -searchduration has the query

source="taskmanager_log.txt"|transaction TaskBP startswith=START endswith=Succeeded

savedsearch -searchavgduration has the query

source="task.txt"| transaction TaskBP startswith=START endswith=Succeeded|stats avg(duration) as Avgduration by TaskBP

0 Karma
Reply

Ayn
Legend
‎11-22-2012 01:48 AM

Well what is the output of the saved search?

Reply

splunkpoornima
Communicator
‎11-22-2012 01:46 AM

hi ayn,

i tried without using the table command also but again it shows the same error as above

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...