Use the timeline to investigate events
The timeline is a visual representation of the number of events in your search results that occur at each point in time. The timeline shows the distribution of events over time.
When you use the timeline to investigate events, you are not running a new search. You are filtering the existing search results.
You can use the timeline to highlight patterns or clusters of events or investigate peaks (spikes in activity) and lows (possible server downtime) in event activity. Position your mouse over a bar to see the count of events. Click on a bar to drill-down to that time range.
Change the timeline format
The timeline is located in the Events tab above the events listing. It shows the count of events over the time range that the search was run. Here, the timeline shows web access events over All time.
Format options are located in the Format Timeline menu:
You can hide the timeline, or display a Compact or Full view of the timeline. You can also toggle the timeline scale between Linear scale or Log scale (logarithmic).
When Full is selected, the timeline view is taller to accommodate the labels on the axis. The count is on the Y-axis and time is on the X-axis.
Zoom in and zoom out to investigate events
Above the timeline are the zoom options. By default, the timeline is zoomed in. The following image shows the timeline display in Full view and zoomed in. The Zoom Out option is available.
The timeline legend is on the top right corner of the timeline. This indicates the scale of the timeline. For example, 1 hour per column indicates that each column represents a count of events during that hour. Zooming in and out changes the time scale.
To zoom in on one or more columns in the timeline, you can either click on the columns and select Zoom to Selection or you can change the time range to a smaller time range in the Time Range Picker.
The smallest time unit that you can zoom in to is 1 millisecond.
When you click Zoom Out, the legend indicates that each column now represents 1 day per column instead of an hour.
Zooming out changes not only the timeline but the value in the Time Range Picker.
Reset the zoom
To reset the zoom or to zoom in, change the value in the Time Range Picker. For example, if you searched using All time and then zoomed out, select All time in the Time Range Picker to return to the original timeline time scale.
Zoom to a selection
When you mouse over and select bars in the timeline, the Zoom to Selection or Deselect options above the timeline become available.
Mouse over and click on one of the bars or drag your mouse over a cluster of bars in the timeline. The events list updates to display only the events that occurred in that selected time range. The time range picker also updates to the selected time range. You can cancel this selection by clicking Deselect.
When you select a set of bars on the timeline and click Zoom to Selection, your search results are filtered to show only the selected time period. The timeline and events list update to show the results of your selection.
The dates and times that correspond to the bars you selected, along with the number of events in that time range, is reflected in the information just below the Search bar.
You cannot Deselect after you zoomed into a selected time range. But, you can Zoom Out again or change the time in the Time Range Picker.
Classify and group similar events
Drill down on event details
This documentation applies to the following versions of Splunk® Enterprise: 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.3.0