https://community.splunk.com/t5/Splunk-Search/How-to-create-a-timeline-table/m-p/659250#M227649 <P>Hi,<BR />we are logging api requests in Splunk.</P> <P>I would like to create a sort of health check table where every column represents the status code of the last API call in previous 5 minutes. While each row is a different API.</P> <P>Here an example of what the output should be</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="IMG_0259.jpeg" style="width: 999px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/27401iECA5388844CCD44B/image-size/large?v=v2&amp;px=999" role="button" title="IMG_0259.jpeg" alt="IMG_0259.jpeg" /></span></P> <P>Any Idea how I could achieve that in Splunk?</P> <P>Each row represents a different API ( request.url), while the status code is stored in response.status</P> <P>Thank you</P> Wed, 04 Oct 2023 18:03:12 GMT faustf 2023-10-04T18:03:12Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-timeline-table/m-p/659250#M227649 <P>Hi,<BR />we are logging api requests in Splunk.</P> <P>I would like to create a sort of health check table where every column represents the status code of the last API call in previous 5 minutes. While each row is a different API.</P> <P>Here an example of what the output should be</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="IMG_0259.jpeg" style="width: 999px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/27401iECA5388844CCD44B/image-size/large?v=v2&amp;px=999" role="button" title="IMG_0259.jpeg" alt="IMG_0259.jpeg" /></span></P> <P>Any Idea how I could achieve that in Splunk?</P> <P>Each row represents a different API ( request.url), while the status code is stored in response.status</P> <P>Thank you</P> Wed, 04 Oct 2023 18:03:12 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-timeline-table/m-p/659250#M227649 faustf 2023-10-04T18:03:12Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-timeline-table/m-p/659252#M227650 <P>See if this helps.&nbsp; It uses actual times rather than relative ones, but the format is there.</P><LI-CODE lang="markup">index=_internal status=* earliest=-30m ``` Get the most recent status for each API every 5 minutes | timechart span=5m latest(status) as status by API ``` Convert timestamp to time (HH:MM) ``` | eval _time=strftime(_time,"%H:%M") ``` Flip the display so time is across the top and API down the side ``` | transpose 0 header_field=_time column_name="API" ``` Fill in blank cells ``` | fillnull value="-"</LI-CODE> Sun, 01 Oct 2023 20:40:29 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-timeline-table/m-p/659252#M227650 richgalloway 2023-10-01T20:40:29Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-timeline-table/m-p/659576#M227725 <P>Very good this is what I was looking for. Thank you.</P><P>Do you know how I can now color each cell depending on the status code?</P><P>Usually I use the following configuration in the dashboard</P><LI-CODE lang="markup">&lt;format type="color" field="status"&gt; &lt;colorPalette type="expression"&gt;case(value like "5%","#D6563C",value like "4%","#F2B827",value like "3%","#A2CC3E",value like "2%","#65A637",true(),null)&lt;/colorPalette&gt; &lt;/format&gt;</LI-CODE><P>&nbsp;</P><P>but it is not working now (I suppose because of the transpose command).</P> Wed, 04 Oct 2023 05:52:59 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-timeline-table/m-p/659576#M227725 faustf 2023-10-04T05:52:59Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-timeline-table/m-p/659694#M227752 <P>I suspect you are right, but you probably should post a separate question about that.</P> Wed, 04 Oct 2023 17:44:24 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-timeline-table/m-p/659694#M227752 richgalloway 2023-10-04T17:44:24Z