Timeline (EOL)

Timeline

Create a timeline query

To generate a timeline, use a search that returns results in the correct data format.

Query syntax

To generate a timeline visualization, use this search syntax.

... | table _time  <resource_field> [<color_field>] [<duration_field>] 


Query components

A timeline search includes the following components.

_time

  • Required
  • Indicates event start time.


resource_field

  • Required
  • Indicates the resource or category to plot on the timeline.


color_field

  • Required for visualizations using sequential or categorical colors.
  • Determines colors for events and activity intervals.
  • If you are not using colors in the visualization, leave this field out of the query.


duration_field

  • Optional
  • Use durations measured in milliseconds.
  • Indicates the activity duration.
  • Can be generated by the transaction command.
Note: The transaction command returns a duration in seconds. Use the following eval command to convert the value to milliseconds.
...| eval duration = (duration * 1000) 

Search result data formatting

A timeline search returns results formatted as a table with multiple columns.

Check the Statistics tab after running a search to make sure that the results table includes the required columns in the following order.

Results table columns

First Second Third Fourth
_time Resource Color (required for categorical or sequential colors) Duration (optional)


Example query

Here is part of a search tracking weather events in different regions.

... | stats count by _time, duration, "NERC Region", "Event Description" | table _time "NERC Region" duration

The search generates the following results table.

Custom viz timeline table.png

Last modified on 26 August, 2020
Timeline installation   Visualization components

This documentation applies to the following versions of Timeline (EOL): 1.0.0, 1.0.1, 1.1.0, 1.2.0, 1.3.0, 1.4.0, 1.5.0, 1.6.0, 1.6.1, 1.6.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters