Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

timechart does not dis play the error

splunkpoornima
Communicator
‎11-21-2012 11:34 PM

hi all ,

I used the below query ..but i am not getting the timechart its shows

field '_time' should have numerical values

| savedsearch "searchduration" | join TaskBP [ | savedsearch "searchavgduration" ]|eval
Difference=duration-Avgduration|where (Difference>-90 AND Difference<90)| table _time TaskBP Difference | timechart count(Difference) by TaskBP

i have used the tonumber and auto function ..still i am getting error

Thanks

Poornima

Tags (1)
0 Karma
Reply

Ayn
Legend
‎11-22-2012 01:28 AM

What's the idea of having the table command there?! That's what's causing your error. table will implicitly convert the _time value to something humanly readable, which is incompatible with what timechart expects.

Reply

Drainy
Champion
‎11-22-2012 03:50 AM

Splunkpoornima, please please please stop reposting questions, let it flow and grow within the one question! http://splunk-base.splunk.com/answers/66695/timechart-errror It just confuses things if others search for answers in the future and people trying to help won't know what you've already been told!

0 Karma
Reply

Ayn
Legend
‎11-22-2012 02:00 AM

There you go - your stats at the end of the second saved search will remove the _time field altogether.

Reply

splunkpoornima
Communicator
‎11-22-2012 01:58 AM

savedsearch -searchduration has the query

source="taskmanager_log.txt"|transaction TaskBP startswith=START endswith=Succeeded

savedsearch -searchavgduration has the query

source="task.txt"| transaction TaskBP startswith=START endswith=Succeeded|stats avg(duration) as Avgduration by TaskBP

0 Karma
Reply

Ayn
Legend
‎11-22-2012 01:48 AM

Well what is the output of the saved search?

Reply

splunkpoornima
Communicator
‎11-22-2012 01:46 AM

hi ayn,

i tried without using the table command also but again it shows the same error as above

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Security Content for Threat Detection & Response, Q1 Roundup

Join Principal Threat Researcher, Michael Haag, as he walks through:An introduction to the Splunk Threat ...

Splunk Life | Happy Pride Month!

Happy Pride Month, Splunk Community! &#x1f308; In the United States, as well as many countries around the ...

SplunkTrust | Where Are They Now - Michael Uschmann

The Background Five years ago, Splunk published several videos showcasing members of the SplunkTrust to share ...