Create a timeline query
To generate a timeline, use a search that returns results in the correct data format.
Query syntax
To generate a timeline visualization, use this search syntax.
... | table _time <resource_field> [<color_field>] [<duration_field>]
Query components
A timeline search includes the following components.
_time
- Required
- Indicates event start time.
resource_field
- Required
- Indicates the resource or category to plot on the timeline.
color_field
- Required for visualizations using sequential or categorical colors.
- Determines colors for events and activity intervals.
- If you are not using colors in the visualization, leave this field out of the query.
duration_field
- Optional
- Use durations measured in milliseconds.
- Indicates the activity duration.
- Can be generated by the
transaction
command.
- Note: The
transaction
command returns a duration in seconds. Use the followingeval
command to convert the value to milliseconds....| eval duration = (duration * 1000)
- Note: The
Search result data formatting
A timeline search returns results formatted as a table with multiple columns.
Check the Statistics tab after running a search to make sure that the results table includes the required columns in the following order.
Results table columns
First | Second | Third | Fourth |
---|---|---|---|
_time | Resource | Color (required for categorical or sequential colors) | Duration (optional) |
Example query
Here is part of a search tracking weather events in different regions.
... | stats count by _time, duration, "NERC Region", "Event Description" | table _time "NERC Region" duration
The search generates the following results table.
Timeline installation | Visualization components |
This documentation applies to the following versions of Timeline (EOL): 1.0.0, 1.0.1, 1.1.0, 1.2.0, 1.3.0, 1.4.0, 1.5.0, 1.6.0, 1.6.1, 1.6.2
Feedback submitted, thanks!