I am trying to calculate transaction time and plot it on start date.
Finding the difference between two dates and then plotting the difference on the y-axis as time
with x-axis being date(timechart).
I want the Y-axis to show as days, not seconds.
Search is as follows:
source=transaction sourcetype=TRANSACTION_DATA
| eval close_date=strptime(closing_day, "%Y-%m-%d")
| eval start_date=strptime(starting_day, "%Y-%m-%d")
| eval difference = close_date - start_date
| eval time_difference = tostring(difference, "duration")
| eval _time=start_date
| timechart values(time_difference) by transaction_type
Try this
source=transaction sourcetype=TRANSACTION_DATA
| eval close_date=strptime(closing_day, "%Y-%m-%d")
| eval start_date=strptime(starting_day, "%Y-%m-%d")
| eval difference = round((close_date - start_date)/86400, 2)
| eval _time=start_date
| timechart values(time_difference) by transaction_type
Like this:
source=transaction sourcetype=TRANSACTION_DATA
| eval close_date=strptime(closing_day, "%Y-%m-%d")
| eval start_date=strptime(starting_day, "%Y-%m-%d")
| eval difference = close_date - start_date
| eval time_difference = tostring(difference, "duration")
| eval _time=start_date
| timechart avg(time_difference) BY transaction_type
Try this
source=transaction sourcetype=TRANSACTION_DATA
| eval close_date=strptime(closing_day, "%Y-%m-%d")
| eval start_date=strptime(starting_day, "%Y-%m-%d")
| eval difference = round((close_date - start_date)/86400, 2)
| eval _time=start_date
| timechart values(time_difference) by transaction_type