Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: timechart does not dis play the error
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
timechart does not dis play the error
hi all ,
I used the below query ..but i am not getting the timechart its shows
field '_time' should have numerical values
| savedsearch "searchduration" | join TaskBP [ | savedsearch "searchavgduration" ]|eval
Difference=duration-Avgduration|where (Difference>-90 AND Difference<90)| table _time TaskBP Difference | timechart count(Difference) by TaskBP
i have used the tonumber and auto function ..still i am getting error
Thanks
Poornima
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What's the idea of having the table command there?! That's what's causing your error. table will implicitly convert the _time value to something humanly readable, which is incompatible with what timechart expects.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunkpoornima, please please please stop reposting questions, let it flow and grow within the one question! http://splunk-base.splunk.com/answers/66695/timechart-errror It just confuses things if others search for answers in the future and people trying to help won't know what you've already been told!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There you go - your stats at the end of the second saved search will remove the _time field altogether.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
savedsearch -searchduration has the query
source="taskmanager_log.txt"|transaction TaskBP startswith=START endswith=Succeeded
savedsearch -searchavgduration has the query
source="task.txt"| transaction TaskBP startswith=START endswith=Succeeded|stats avg(duration) as Avgduration by TaskBP
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Well what is the output of the saved search?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi ayn,
i tried without using the table command also but again it shows the same error as above
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions
Splunk Community Badges!
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
