I have a duration field in seconds. I wanted the format to be D+hh:mm:ss, so I used this:
eval dur_hhmmss=tostring(Duration,"duration")
Then I had to sort it to get the top 10, so I used the sort then head 10:
eval dur_hhmmss=tostring(Duration,"duration")| search dur_hhmmss="*" | chart latest(dur_hhmmss) as Duration by JOBNAME | sort Duration desc | head 10
I was expecting to see 1+18:36:16 (1+ is 1 DAY), at the top of the list but it's not getting displayed in the top 10 result set. If I remove head 10, which then would show all the result, I see 1+18:36:16 at the 19th spot, together with those 1hr results.
How do I get it to appear at the top 10 list? It looks like Splunk is seeing it as 1hr*
... View more