Hello,
This is for Splunk Enterprise 7.2.6.
I am trying to separate the time presets so that they are divided into columns of my choice. Here is what I want (on the left what I currently have, on the right what I would like to have):
According to times.conf, I should be able to do this by assigning values to "order". In this case I am assigning 100, 110, 120, and 130 to the first four, and 800, 810, 820, 830, and 840 to the remaining values.
I have noticed, though, that when I change the "latest_time" value for one of the values, then it gets moved to a new column. In my case the "lastest_time" must always be set to "@d".
Have I misunderstood something? Is there any way to get my desired result?
Thank you and best regards,
Andrew