Splunk Ver : I tested in 7.3.0 and 6.6.12.
Timezone : I don't know if it’s relevant to this problem, but it is JST
If I run following search, column name will be "99".
| makeresults count=10
| eval field=99
| timechart count by field
But If I using `span` option like below, column name changes.
Pattern 1)
| makeresults count=10
| eval field=99
| timechart count by field span=1h
Result 1)
column name changes to "0".
Pattern 2)
| makeresults count=10
| eval field=99
| timechart count by field span=1m
Result 2)
column name changes to "60".
Pattern 3)
| makeresults count=10
| eval field=99
| timechart count by field span=1d
Result 3)
column name changes to "-32400"!
This time, I used `makeresults` as a sample.
But, if I want to use `timechart` by some number field like destination port or ID_number in actual operation, it would be a problem if the displayed column names are different.
Is this issue?
Or specification? If so, is there a way to avoid?
↧