Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Time format not being recognized as data point

HCadmins
Communicator
‎12-28-2016 09:25 AM

I have a search with multiple time formats, and the "Duration" time format isn't being recognized when I to a chart. Take a look at the screenshot:
alt text

I am trying to overlay "Duration" with "Throughput _GB_Hour", but on the chart Duration is always zero, whereas in the table we can see different time stamps.

My guess is I need to convert this somehow, but I am stuck as to how to make this work.

Here is my search
eventtype=cv "Source Client"=* "Destination Client"=slc-p-res* OR dab* Duration=* "Start Time"=* "End Time or Current Phase"=* "Throughput _GB_Hour"=* | convert ctime(_time) | table _time "Source Client" "Destination Client" "Start Time" "End Time or Current Phase" Duration "Throughput _GB_Hour"

Preview file
1 KB
0 Karma
Reply

gokadroid
Motivator
‎12-29-2016 12:15 AM

Since your duration in hours will be a very small number in comparison to the throughput values which are in 100s or 200s range hence to represent both values on same scale better try to use the log scale to represent the y axis. It can be chosen from the format option of the visualization.
The hour should be eval Durationhrs=(Durationsec / 60/60).

0 Karma
Reply

HCadmins
Communicator
‎12-28-2016 09:59 AM

Okay, got it!

convert dur2sec(Duration) AS Durationsec | eval Durationhrs=(Durationsec / 60)

Lets me use that duration time as hours, and makes my chart work!

Reply

HCadmins
Communicator
‎12-28-2016 10:05 AM

But wait... is this really giving me the hours? Or do I need to do eval Durationhrs=(Durationsec / 60/60)?

Reply

gokadroid
Motivator
‎12-28-2016 09:51 AM

your Duration and Throughput _GB_Hour have different units. One in time and other in real number. What is your expectancy when your are trying to plot them on the same y axis?

0 Karma
Reply

HCadmins
Communicator
‎12-28-2016 09:53 AM

I just wanted to overlay the time it takes for a particular backup with its throughput.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...