Hi
I've tried a number of ways to enforce a 24 hour time format, but all of them seem to fail.
I want this to be displayed no matter what the users locale is as this can't be meddled with.
Currently I have the following - without any success
<panel>
<title>Number of trips - Time Window: $timewindow.formatted$</title>
<chart>
<search>
<query>sourcetype="anewcar" type=Transport source=$UserID2$* | timechart count by event | rename NULL AS Resor</query>
<earliest>$Kortid.earliest$</earliest>
<latest>$Kortid.latest$</latest>
<sampleRatio>1</sampleRatio>
<progress>
<!-- Parse ISO time from the search job -->
<eval token="parsed.earliest">strptime($job.earliestTime$, "%F:%T")</eval>
<eval token="parsed.latest">strptime($job.latestTime$, "%F:%T")</eval>
<!-- Pretty print the parsed time -->
<eval token="formatted.earliest">strftime($parsed.earliest$,"%c")</eval>
<eval token="formatted.latest">if(isnull($job.latestTime$), "now", strftime($parsed.latest$,"%c"))</eval>
<!-- Create time window message -->
<eval token="timewindow.formatted">if(isnull($formatted.earliest$), "...", $formatted.earliest$ + " to " + $formatted.latest$) + if($job.isRealTimeSearch$, " (real-time)", "")</eval>
</progress>
<!-- Clear time window message when the search gets cancelled or fails -->
<cancelled>
<unset token="timewindow.formatted"></unset>
</cancelled>
<error>
<unset token="timewindow.formatted"></unset>
</error>
<fail>
<unset token="timewindow.formatted"></unset>
</fail>
</search>
You can use chart to do the same as timechart:
... | eval Time = strftime(_time, "%m/%d %H:%M") | chart count as Total by Time