Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do I edit my timechart search to create a column chart of average duration values in a human readable format?

kboswell
New Member
‎11-04-2015 12:19 PM

I am trying to create a column chart that represents the average session time over a period of time with a 1 day span.

My current search string is: 

index=  ... | where duration<86400 | timechart span=1d avg(duration) as avg_duration | eval avg_duration=tostring(avg_duration, "duration")

This works to a point. It converts the seconds to a more readable format dd:hh:mm.000000 by using the tostring function, although I am also trying to figure out how to omit the trailing numbers from the values. It then charts them in the statistics tab as expected, however, when I go to the visualization tab and select column chart (or any other visualization for that matter), no data is displayed.

Sample statistics output is below:

        _time       avg_duration
1   2015-11-01  02:22:06.204878
2    2015-11-02 03:04:41.625000
3   2015-11-03  03:43:17.974903
4   2015-11-04  03:14:31.630522

Then the visualization displays no data. Again, the goal is to remove the numbers after the ., then chart the value avg_duration by day

I am assuming it is because it is looking for an integer value that I have now converted to a string to make more readable, but I do not want to chart the data in seconds.

Any help would be greatly appreciated.

Thanks,

Kevin

0 Karma
Reply

woodcock
Esteemed Legend
‎11-04-2015 01:33 PM

Try this:

index=  ... | where duration<86400 | timechart span=1d avg(duration) as avg_duration | rex mode=sed field=avg_duration "s/\.\d+//" | fieldformat avg_duration=tostring(avg_duration, "duration")
0 Karma
Reply

kboswell
New Member
‎11-05-2015 09:02 AM

Thanks for your response.

Sorry, I posted by follow up question in the wrong spot. Incase it doesn't show up properly, I will repost here.

Your search string fixed the format of avg_duration to remove the "extra" characters at the end of the time. The new results are below:
_time avg_duration
1 2015-11-01 02:22:06
2 2015-11-02 03:04:41
3 2015-11-03 03:43:17
4 2015-11-04 03:30:13
5 2015-11-05 03:29:03

However, the visualization graph is still not graphing the data. It builds the chart correctly with the correct labels for the x and y axis, but reports the value "0" for the actual data. Basically I want to graph the value of avg_duration over a period of time represented by _time.

Any other ideas?

Thanks,

Kevin

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...