https://community.splunk.com/t5/Splunk-Search/About-display-priority-in-annotation/m-p/338731#M164362 <P>Even if you have multiple events coming for a particular time. Splunk breaks them by the indexed time(this means by the order splunk indexed the incoming events). </P> <P>For this you need to write your props.conf like below. </P> <P>[sourcetype]<BR /> DATETIME_CONFIG = CURRENT ----------("CURRENT" will set the time of the event to the time that the event was<BR /> merged from lines, or worded differently, the time it passed through the<BR /> aggregator processor.)</P> <P>Refer this below link<BR /> <A href="http://docs.splunk.com/Documentation/Splunk/6.4.0/Admin/Propsconf#Timestamp_extraction_configuration">http://docs.splunk.com/Documentation/Splunk/6.4.0/Admin/Propsconf#Timestamp_extraction_configuration</A></P> <P>So assume you have 200 events per second(Say on 12/13/17 3:38:47). it will break down to milliseconds (12/13/17 3:38:47 101/201/301) </P> <P>Now when you display them in timechart it will show in chronological order. </P> Wed, 13 Dec 2017 10:14:54 GMT sandyIscream 2017-12-13T10:14:54Z https://community.splunk.com/t5/Splunk-Search/About-display-priority-in-annotation/m-p/338730#M164361 <P>How to annotate When multiple events are occurring at the same time, how is it displayed in the time chart?<BR /> I want to know the priority on display.</P> Wed, 13 Dec 2017 09:00:06 GMT https://community.splunk.com/t5/Splunk-Search/About-display-priority-in-annotation/m-p/338730#M164361 hasehiro 2017-12-13T09:00:06Z https://community.splunk.com/t5/Splunk-Search/About-display-priority-in-annotation/m-p/338731#M164362 <P>Even if you have multiple events coming for a particular time. Splunk breaks them by the indexed time(this means by the order splunk indexed the incoming events). </P> <P>For this you need to write your props.conf like below. </P> <P>[sourcetype]<BR /> DATETIME_CONFIG = CURRENT ----------("CURRENT" will set the time of the event to the time that the event was<BR /> merged from lines, or worded differently, the time it passed through the<BR /> aggregator processor.)</P> <P>Refer this below link<BR /> <A href="http://docs.splunk.com/Documentation/Splunk/6.4.0/Admin/Propsconf#Timestamp_extraction_configuration">http://docs.splunk.com/Documentation/Splunk/6.4.0/Admin/Propsconf#Timestamp_extraction_configuration</A></P> <P>So assume you have 200 events per second(Say on 12/13/17 3:38:47). it will break down to milliseconds (12/13/17 3:38:47 101/201/301) </P> <P>Now when you display them in timechart it will show in chronological order. </P> Wed, 13 Dec 2017 10:14:54 GMT https://community.splunk.com/t5/Splunk-Search/About-display-priority-in-annotation/m-p/338731#M164362 sandyIscream 2017-12-13T10:14:54Z https://community.splunk.com/t5/Splunk-Search/About-display-priority-in-annotation/m-p/338732#M164363 <P>Thank you for anwering.</P> <P>However, the indexed time must be obtained form log file.</P> <P>I Want to know what condition the event displayed at the top is decided when the time is exactly the same.</P> Wed, 13 Dec 2017 12:51:44 GMT https://community.splunk.com/t5/Splunk-Search/About-display-priority-in-annotation/m-p/338732#M164363 hasehiro 2017-12-13T12:51:44Z