Splunk Cloud Platform

Search Manual

Use the timeline to investigate events

The timeline is a visual representation of the number of events in your search results that occur at each point in time. The timeline shows the distribution of events over time.

When you use the timeline to investigate events, you are not running a new search. You are filtering the existing search results.

You can use the timeline to highlight patterns or clusters of events or investigate peaks (spikes in activity) and lows (possible server downtime) in event activity. Position your mouse over a bar to see the count of events. Click on a bar to drill-down to that time range.

Change the timeline format

The timeline is located in the Events tab above the events listing. It shows the count of events over the time range that the search was run. Here, the timeline shows web access events over All time.

This image shows the timeline for the search sourcetype=access_*.

Format options are located in the Format Timeline menu:

This image shows the timeline format options. The default options are Compact and Linear scale. The options are described in the text below.

You can hide the timeline, or display a Compact or Full view of the timeline. You can also toggle the timeline scale between Linear scale or Log scale (logarithmic).

When Full is selected, the timeline view is taller to accommodate the labels on the axis. The count is on the Y-axis and time is on the X-axis.

Zoom in and zoom out to investigate events

Above the timeline are the zoom options. By default, the timeline is zoomed in. The following image shows the timeline display in Full view and zoomed in. The Zoom Out option is available.

This image shows the format, zoom, and select options above the timeline.

Timeline legend

The timeline legend is on the top right corner of the timeline. This indicates the scale of the timeline. For example, 1 hour per column indicates that each column represents a count of events during that hour. Zooming in and out changes the time scale.

Zoom in

To zoom in on one or more columns in the timeline, you can either click on the columns and select Zoom to Selection or you can change the time range to a smaller time range in the Time Range Picker.

The smallest time unit that you can zoom in to is 1 millisecond.

Zoom out

When you click Zoom Out, the legend indicates that each column now represents 1 day per column instead of an hour.

Zooming out changes not only the timeline but the value in the Time Range Picker.

This image shows the changes to the legend and the Time Range Picker when you zoom out one time. The legend says "1 day per column and the Time Range Picker shows "during April 2018".

Reset the zoom

To reset the zoom or to zoom in, change the value in the Time Range Picker. For example, if you searched using All time and then zoomed out, select All time in the Time Range Picker to return to the original timeline time scale.

Zoom to a selection

When you mouse over and select bars in the timeline, the Zoom to Selection or Deselect options above the timeline become available.

This image shows 11 hours selected in the middle of the timeline. There are labels to show the date and time of the first bar selected and the date and time of the last bar selected. The mouse is pointed at the last bar and a popup indicates that there are 211 events that fall into the hour that the bar represents.

Mouse over and click on one of the bars or drag your mouse over a cluster of bars in the timeline. The events list updates to display only the events that occurred in that selected time range. The time range picker also updates to the selected time range. You can cancel this selection by clicking Deselect.

When you select a set of bars on the timeline and click Zoom to Selection, your search results are filtered to show only the selected time period. The timeline and events list update to show the results of your selection.

This image shows the results of zooming in to a selected set of bars in the timeline. The Time Range Picker displays Date Time Range.

The dates and times that correspond to the bars you selected, along with the number of events in that time range, is reflected in the information just below the Search bar.

You cannot Deselect after you zoomed into a selected time range. But, you can Zoom Out again or change the time in the Time Range Picker.

This image shows the timeline zoomed out to 1 hour per column, but still showing the time range from when the bars were selected.

Last modified on 18 December, 2018
Classify and group similar events   Drill down on event details

This documentation applies to the following versions of Splunk Cloud Platform: 9.2.2403, 8.2.2201, 8.2.2202, 8.2.2112, 8.2.2203, 9.0.2205, 9.0.2208, 9.0.2209, 9.0.2303, 9.0.2305, 9.1.2308 (latest FedRAMP release), 9.1.2312

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters