Hi,
This is probably a very easy thing to do, but I did not seem to find a suitable answer in the documentation yet. What I am trying to do is extract a time from my events and use that time as the y-axis for a line chart. What I am trying right now is the following:
`rex "\d:\d+:\d+\.\d+(?<TIME_TAKEN>)" | convert dur2sec(TIME_TAKEN) | chart first(TIME_TAKEN) by _time`
for events of the form: 0:13:23.233434
The trouble with this approach is that the "first(TIME_TAKEN)" column is empty. I would also like to keep this as a permanent chart - Following the videos there is a props.conf file to edit but I am not sure which. I am new to splunk.
Thanks for the help.
... View more