Splunk® Enterprise

Search Manual

Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Use the timeline to investigate events

The timeline is a visual representation of the number of events that occur at each point in time. It shows the distribution of events over time. Mouseover a bar to see the count of events. Click on a bar to drill-down to that time. Drilling down in this way does not run a new search, it just filters the results from the previous search. You can use the timeline to highlight patterns or clusters of events or investigate peaks (spikes in activity) and lows (possible server downtime) in event activity.

Change the timeline format

The timeline is located in the Events tab above the events listing.

Search eventtimeline compact.png


Format options are located in the Format Timeline menu:

Search timeline formatoptions.png


You can hide the timeline (Hidden) and display a Compact or Full view of it. You can also toggle the timeline scale between linear (Linear Scale) or logarithmic (Log Scale).

For example, the following is the Full view:

Search eventtimeline full.png

In this view, the timeline is taller and displays the count on the y-axis and time on the x-axis.

Zoom in and zoom out to investigate events

Zoom and selection options are located above the timeline. At first, only the Zoom Out option is available.

When you mouse over and select bars in the timeline, the Zoom to Selection or Deselect options become available.

The timeline legend is on the top right corner of the timeline. This indicates the scale of the timeline. For example, 1 minute per column indicates that each column represents a count of events during that minute.

Zooming in and out changes the time focus. For example, if you click Zoom Out the legend will indicate that each column now represents an hour instead of a minute.

When you click and drag your mouse over one or a cluster of bars in the timeline, the events list updates to display only the events that occurred in that selected time range.

You can cancel this selection by clicking Deselect.

When you Zoom to Selection, you filter the results of your previous search for your selected time period. The timeline and events list update to show the results of the new search.

You can't Deselect, once you've zoomed into the selected time range. But, you can Zoom Out again.

PREVIOUS
Classify and group similar events
  NEXT
About time ranges in search

This documentation applies to the following versions of Splunk® Enterprise: 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.1.14


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters