Solved: format timechart fields

stwong · ‎06-27-2017

Hi all,

In a query "...| timechart span=1d sum(duration) as Duration by type ", possible to format the "sum(duration)" in the format of HH:MM:SS and display in both the Statistics and Visualization tab?

Sorry for the newbie question.
Thanks and regards

richgalloway · ‎06-27-2017

Try fieldformat.

...| timechart span=1d sum(duration) as Duration by type | fieldformat Duration=strftime(Duration, "%H:%M:%S")

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎06-27-2017

Try fieldformat.

...| timechart span=1d sum(duration) as Duration by type | fieldformat Duration=strftime(Duration, "%H:%M:%S")

---
If this reply helps you, Karma would be appreciated.

somesoni2 · ‎06-27-2017

I believe you want to use strftime instead of strptime.

stwong · ‎06-27-2017

Thanks a lot, but seems the output doesn't change after added fieldformat:

...|transaction ...| timechart span=1d sum(duration) as Duration by type | fieldformat Duration=strftime(Duration, "%H:%M:%S")

Did I miss anything?
Thanks again.

Best Regards

richgalloway · ‎06-27-2017

You didn't miss anything. Perhaps timechart doesn't honor fieldformat settings.

---
If this reply helps you, Karma would be appreciated.

stwong · ‎06-28-2017

I changed to following and seems to work:

bucket span=1d _time| stats sum(duration) as Duration by type, _time | fieldformat Duration=strftime(Duration, "%H:%M:%S")

Again, anything missed?

Thanks a lot for all of your help.

richgalloway · ‎06-27-2017

Thanks, somesoni2. Answer corrected.

---
If this reply helps you, Karma would be appreciated.

format timechart fields

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases