This might be a really simple question, but I haven't been able to find an answer as of yet. I have some raw data from some events that is for example "(duration 5555ms)" and I want to put that in a "| timechart span=1m count by duration" to create a chart that shows when these events took place and their total duration. There is currently no field set up for duration, it is just raw data. How would I get those numbers into my time chart?
You will first need to extract the value for duration into a field. You will most likely use the regex (rex) function for this.
The exact command you need will depend a lot on your data. But for your example "(duration 5555ms)", this should work assuming the value is always in ms.
| rex field=_raw "\(duration (?<duration>\d+)ms.*"