Use the timeline
This topic assumes that you're comfortable running simple searches to retrieve events. If you're not sure, go back to the last topic where you searched with keywords, wildcards, and Booleans to pinpoint an error.
Back at the Flower & Gift shop, let's continue with the customer (10.2.1.44) you were assisting. He reported an error while purchasing a gift for his girlfriend. You confirmed his error, and now you want to find the cause of it.
Continue with the last search, which showed you the customer's failed purchase attempts.
1. Search for:
sourcetype=access_combined_wcookie 10.2.1.44 purchase NOT 200 NOT 404
In the last topic, you really just focused on the search results listed in the events viewer area of this dashboard. Now, let's take a look at the timeline.
The location of each bar on the timeline corresponds to an instance when the events that match your search occurred. If there are no bars at a time period, no events were found then.
2. Mouse over one of the bars.
A tooltip pops up and displays the number of events that Splunk found during the time span of that bar (1 bar = 1 hr).
The taller the bar, the more events occurred at that time. Often seeing spikes in the number of events or no events is a good indication that something has happened.
3. Click one of the bars, for example the tallest bar.
This updates your search results to show you only the events at the time span. Splunk does not run the search when you click on the bar. Instead, it gives you a preview of the results zoomed-in at the time range. You can still select other bars at this point.
4. Double-click on the same bar.
Splunk runs the search again and retrieves only events during that one hour span you selected.
You should see the same search results in the Event viewer, but, notice that the search overrides the time range picker and it now shows "Custom time". (You'll see more of the time range picker later.) Also, each bar now represents one minute of time (1 bar = 1 min).
One hour is still a wide time period to search, so let's narrow the search down more.
5. Double-click another bar.
Once again, this updates your search to now retrieve events during that one minute span of time. Each bar represents the number of events for one second of time.
Now, you want to expand your search to see everything else, if anything happened during this minute.
6. Without changing the time range, replace your previous search in the search bar with:
Splunk supports using the asterisk (*) wildcard to search for "all" or to retrieve events based on parts of a keyword. Up to now, you've just searched for Web access logs. This search tells Splunk that you want to see everything that occurred at this time range:
This search returns events from all the logs on your server. You expect to see other user's Web activity--perhaps from different hosts. But instead you see a cluster of mySQL database errors. These errors were causing your customer's purchases to fail. Now, you can report this issue to someone in the IT Operations team.
| What else can you do with the timeline?
When you're ready, proceed to the next topic to learn about searching over different time ranges.
Change the time range
This documentation applies to the following versions of Splunk® Enterprise: 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7