topic Re: Enhanced timeline highlight certain events in Splunk Search

Enhanced timeline highlight certain events- Is there anything I can do in the search?

michaeler — Fri, 17 Mar 2023 00:27:24 GMT

I created an enhanced timeline that works the way I want but I'm wondering if there is a way to highlight or change the color of the block for certain events. The ones I want to highlight begin with a * so they are easy to identify.

Is there anything I can do in the search?

I'm displaying the graphic on a classic dashboard, is there something I can do to the source code to get this done?

Thanks in advance for any suggestions.

Re: Enhanced timeline highlight certain events

ITWhisperer — Thu, 16 Mar 2023 11:21:05 GMT

Can you share details of what you have already done to create an enhance timeline, so we have an idea of your current situation?

Re: Enhanced timeline highlight certain events

michaeler — Thu, 16 Mar 2023 14:38:29 GMT

I can't share the results because it's on a different system but here is part of the search:

index=meetings ...
.....
| rex field=field1 ".*\((?P<Date>\d[^\)]+)"
| eval current = strftime(now(), "%d %b")
| where Date=current
| rex field=field2 "(?<Details>.*)\((?<Ztime>.*)\)"
| rex field=Ztime "(?<sT>\d{4})"
| rex field=Ztime "\d{4}\s?[-]\s?(?<eT>\d{4}[Z])"
| eval Date=Date." ".date_year, startTime=Date." ".sT."Z", endTime=Date." ".eT
| eval start=strftime(strptime(startTime, "%d %b %Y %H%MZ"), "%d %b %Y %H:%M %Z"), end==strftime(strptime(endTime, "%d %b %Y %H%MZ"), "%d %b %Y %H:%M %Z")
| table Details start end field1

Results example:

Details start end issue

Meeting 1 16 Mar 2023 12:00 EDT 16 Mar 2023 13:30 EDT Meeting (16 Mar)
* K Meet 16 Mar 2023 10:00 EDT 16 Mar 2023 12:00 EDT Meeting (16 Mar)

When I put it into an Enhanced Timeline it looks as expected and works correctly, I just want to highlight the * meetings or make them standout somehow