Splunk® Enterprise

Search Manual

Download manual as PDF

Splunk Enterprise version 5.0 reached its End of Life on December 1, 2017. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Use the timeline to investigate patterns of events

The timeline is a visual representation of the number of events that occur at each point in time. It shows the distribution of events over time. Mouseover a bar to see the count of events. Click on a bar to drill-down to that time. Drilling down in this way does not run a new search, it just filters the results from the previous search. You can use the timeline to highlight patterns or clusters of events or investigate peaks (spikes in activity) and lows (possible server downtime) in event activity.

The timeline options are located above the timeline. You can zoom in and zoom out and change the scale of the chart. Collapsing the time line is handy if you want more room for events and are not concerned with the time line. Click to restore it when you are.


Timeline options.png


Change the scale of the timeline

You can view the timeline on two scales: linear or logarithmic (log).

The following image shows the search results for all events in the second quarter on a linear scale.

Linear scale timeline.png


The following image shows the same search results for all events in the second quarter on a log scale.

Log scale timeline.png


Zoom in and zoom out to investigate events

Zoom in and out changes the time focus; for example, zooming in will change timeline bars from hours to minutes. Clicking the bar drills down to events that minute. Zooming out pulls up a level to see events over hours or days instead of minutes.

Click and drag your mouse over a cluster of bars in the timeline.

  • Your search results update to display only the events that occurred in that selected time range.
  • If you click zoom in, the timeline updates to display only the span of events that you selected.


Select range in timeline.png


Click on one bar in the timeline.

  • Your search results update to display only the events that occur at that selected point.
  • Once again, if you click zoom in, the timeline updates to display only the events in that selected point.

If you want to select all the bars in the timeline (undo your previous selection) click select all. This option is only available after you've selected one or more bars and before you selected either zoom in or zoom out.

PREVIOUS
Classify and group similar events
  NEXT
About time ranges in search

This documentation applies to the following versions of Splunk® Enterprise: 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters