Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How can I create a new column in time presets?

andrewtrobec
Builder
‎01-13-2021 02:29 AM

Hello,

This is for Splunk Enterprise 7.2.6.

I am trying to separate the time presets so that they are divided into columns of my choice.  Here is what I want (on the left what I currently have, on the right what I would like to have):

Untitled.png

According to times.conf, I should be able to do this by assigning values to "order".  In this case I am assigning 100, 110, 120, and 130 to the first four, and 800, 810, 820, 830, and 840 to the remaining values.

I have noticed, though, that when I change the "latest_time" value for one of the values, then it gets moved to a new column.  In my case the "lastest_time" must always be set to "@d".

Have I misunderstood something?  Is there any way to get my desired result?

Thank you and best regards,

Andrew

0 Karma
Reply
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!

Get Updates on the Splunk Community!