Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Field '_time' should have numerical values.

ayachem
New Member
‎05-03-2010 09:46 PM

Every time I try to run a report on a search, I get 0 records and the following error in the chart editor: Field '_time' should have numerical values.

My Query is: CallDetail>-1 sourcetype="3CX_cdr_custom" Dest<100 | rex field=Duration "(?<DUR>.*)..*" | convert dur2sec(DUR) as DurationSecs | stats sum(DurationSecs) as CallTime by Dest | search CallTime > 0

Basically, I configure the DUR = 00:00:XX, removing any numbers after the decimal place.

The stats in the results view look perfect, but then I try to run a report with sum(DurationSecs) split by Dest, It gives me the error. I can't pick CallTime from the report field list, so I used sum(DurationSecs) instead.

Any help would be greatly appreciated.

~ Michelle

Tags (1)
0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎05-03-2010 11:30 PM

try using chart instead of stats?

Reply
Get Updates on the Splunk Community!

Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users

This article is the continuation of the “Combine multiline logs into a single event with SOCK - a step-by-step ...

Everything Community at .conf24!

You may have seen mention of the .conf Community Zone 'round these parts and found yourself wondering what ...

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...