All Apps and Add-ons

In Event Timeline viz app the group column needs to be sorted based on time, currently it’s based on alphabetical order.

yadavshilpa
New Member

I would like to add few more inputs.
I have created a dashboard with Event timeline viz view. I have 5 columns like Group,Label,Start,end,Tooltip.

The time line is created with
Group Label start end Tooltip
elevated Splunk 3pm 4pm message
low console 2pm 3pm message1

alt text
alt text

My question is why the group field is sorted alphabetically. I want the timeline group field to be sorted based on time. Eg:- Group (low) should be available first and then elevated. Let me know if any additional information is required.

0 Karma

danspav
SplunkTrust
SplunkTrust

Hi @yadavshilpa,

I have added the ability to sort groups by time - check out the update on splunkbase:

https://splunkbase.splunk.com/app/4370/

You can choose how to sort groups in the options under General > Group Sorting:

alt text

@niketnilay's solution is also a good option. I'd just add the following line to remove the null values:

| search label!=NULL

niketn
Legend

@yadavshilpa will your search result always have the three groups low, elevated, severe? Also since the sort requirement is specific to your use case and not through any rule set by data you would need to create your own sequence as the visualization always sorts the results based on group field and not as per original sort of the results returned (which seems an incorrect thing to handle sort in visualization logic). Paging @danspav who built the app.

If you add your own sequence for group sorting, you will have to ensure all groups are present in the final result, otherwise you will have misleading sequence no like 1. low followed by 3. severe and missing 2. elevated.

Following is the run anywhere example based on Splunk's _internal index that you can try. Splunk's _internal logs may have following types of message INFO, WARN, ERROR, FATAL and everything else I have kept as UNKNOWN. I have created dummy rows using append with makeresults to create empty rows. This however, adds NULL value rows for each group for the current time.

index=_internal sourcetype=splunkd component=* name=* earliest=-1h latest=now
| bin _time span=15m
| eval event_message=substr(event_message,1,20)
| stats latest(date_hour) as color latest(event_message) as data count by _time log_level component 
| append 
    [| makeresults 
    | eval _time=replace(relative_time(_time,"@min"),".000000","")
    | eval log_level="INFO,WARN,ERROR,FATAL",color="",data="",component="NULL"
    | makemv log_level delim="," 
    | mvexpand log_level]
| stats latest(color) as color latest(data) as data count by _time log_level component 
| eval log_level=case(log_level=="INFO","1. INFO",
    log_level=="WARN","2. WARN",
    log_level=="ERROR","3. ERROR",
    log_level=="FATAL","4. FATAL",
    true(),"5. UNKNOWN") 
| eval start=_time, tooltip=log_level."-".component
| rename log_level as group, component as label
| table group, label, start, data, tooltip

alt text

Following is the Simple XML example:

<dashboard>
  <label>Event Timeline Example</label>
  <row>
    <panel>
      <viz type="event-timeline-viz.event-timeline-viz">
        <search>
          <query>index=_internal sourcetype=splunkd component=* name=* earliest=-1h latest=now
| bin _time span=15m
| eval event_message=substr(event_message,1,20)
| stats latest(date_hour) as color latest(event_message) as data count by _time log_level component 
| append 
    [| makeresults 
    | eval _time=replace(relative_time(_time,"@min"),".000000","")
    | eval log_level="INFO,WARN,ERROR,FATAL",color="",data="",component="NULL"
    | makemv log_level delim="," 
    | mvexpand log_level]
| stats latest(color) as color latest(data) as data count by _time log_level component 
| eval log_level=case(log_level=="INFO","1. INFO",
    log_level=="WARN","2. WARN",
    log_level=="ERROR","3. ERROR",
    log_level=="FATAL","4. FATAL",
    true(),"5. UNKNOWN") 
| eval start=_time, tooltip=log_level."-".component
| rename log_level as group, component as label
| table group, label, start, data, tooltip</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="drilldown">none</option>
        <option name="event-timeline-viz.event-timeline-viz.backgroundColor">#ffffff</option>
        <option name="event-timeline-viz.event-timeline-viz.eventColor">#d5ddf6</option>
        <option name="event-timeline-viz.event-timeline-viz.maxZoom">3600000</option>
        <option name="event-timeline-viz.event-timeline-viz.minZoom">60000</option>
        <option name="event-timeline-viz.event-timeline-viz.orientation">top</option>
        <option name="event-timeline-viz.event-timeline-viz.stack">true</option>
        <option name="event-timeline-viz.event-timeline-viz.tokenAllVisible">tok_et_all_visible</option>
        <option name="event-timeline-viz.event-timeline-viz.tokenData">tok_et_data</option>
        <option name="event-timeline-viz.event-timeline-viz.tokenEnd">tok_et_end</option>
        <option name="event-timeline-viz.event-timeline-viz.tokenLabel">tok_et_label</option>
        <option name="event-timeline-viz.event-timeline-viz.tokenStart">tok_et_start</option>
        <option name="event-timeline-viz.event-timeline-viz.tooltipDateFormat">DD-MMM-YYYY</option>
        <option name="event-timeline-viz.event-timeline-viz.tooltipTimeFormat">h:mm:ss A</option>
        <option name="height">346</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
      </viz>
    </panel>
  </row>
</dashboard>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

yadavshilpa
New Member

Hi @niketnilay

My search result will not always have three groups low, elevated, severe. It depends on the event transaction.
Sometimes it may only have low and elevated as group.

0 Karma

niketn
Legend

So you would need to fill in empty value in the way I have provided in the run anywhere example above

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...