All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Timeline visualization "Failed to load source for Timeline visualization, Supported time formats are RFC2822, ISO 8601, and epoch time"

cdhippen
Path Finder
‎11-21-2019 10:52 AM

I've got a search where the last line is | table time tx duration . This is an example of the resulting table:

     time          tx                                          duration
1   1574361873  467bc12de15e87be9470405eca6af475c2ba5072    2
2   1574361828  b7ed42c618358fa1ef2733b6d4538e17b705d0ab    1342
3   1574359470  6ce4d008d1a6d6873d1c8e5481ba1c4c77f2b929    1
4   1574358821  1effc91b9e809c4412f96e2582bb9fe93e22c95d    44511
5   1574358637  c387972f676d97c752f64643e38d6663ec696392    78467

The time is in epoch format, I've generated it with this line | convert mktime(job_started_at) as time timeformat="%Y-%m-%dT%H:%M:%SZ" but I get the error Error rendering Timeline visualization: Invalid time format specified: 1574357356,1574357377,1574357421,1574357842. Supported time formats are RFC2822, ISO 8601, and epoch time which doesn't make any sense because it's literally saying "Time is in epoch, requires epoch".

Interestingly enough, if I do

| makeresults 1
| eval abc="123", duration=100000, time=_time
| table time abc duration

Then the visualization works, but everything is in the same format. Why won't it work here? Also if I | eval time=null() then it works by placing the start of the timeline at the beginning of the search period.

0 Karma
Reply

to4kawa
Ultra Champion
‎11-26-2019 03:44 AM 
| makeresults 
 | eval _raw="t      time          tx                                          duration
 1    1574361873    467bc12de15e87be9470405eca6af475c2ba5072    2
 2    1574361828    b7ed42c618358fa1ef2733b6d4538e17b705d0ab    1342
 3    1574359470    6ce4d008d1a6d6873d1c8e5481ba1c4c77f2b929    1
 4    1574358821    1effc91b9e809c4412f96e2582bb9fe93e22c95d    44511
 5    1574358637    c387972f676d97c752f64643e38d6663ec696392    78467"
 | multikv
 | table time tx duration
 | rename time as _time

Hi, @cdhippen
I was able to do something normal.

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...