Enhanced timeline highlight certain events- Is the...

michaeler · ‎03-16-2023

I created an enhanced timeline that works the way I want but I'm wondering if there is a way to highlight or change the color of the block for certain events. The ones I want to highlight begin with a * so they are easy to identify.

Is there anything I can do in the search?

I'm displaying the graphic on a classic dashboard, is there something I can do to the source code to get this done?

Thanks in advance for any suggestions.

ITWhisperer · ‎03-16-2023

Can you share details of what you have already done to create an enhance timeline, so we have an idea of your current situation?

michaeler · ‎03-16-2023

I can't share the results because it's on a different system but here is part of the search:

index=meetings ...
.....
| rex field=field1 ".*\((?P<Date>\d[^\)]+)"
| eval current = strftime(now(), "%d %b")
| where Date=current
| rex field=field2 "(?<Details>.*)\((?<Ztime>.*)\)"
| rex field=Ztime "(?<sT>\d{4})"
| rex field=Ztime "\d{4}\s?[-]\s?(?<eT>\d{4}[Z])"
| eval Date=Date." ".date_year, startTime=Date." ".sT."Z", endTime=Date." ".eT
| eval start=strftime(strptime(startTime, "%d %b %Y %H%MZ"), "%d %b %Y %H:%M %Z"), end==strftime(strptime(endTime, "%d %b %Y %H%MZ"), "%d %b %Y %H:%M %Z")
| table Details start end field1

Results example:

Details start end issue

Meeting 1 16 Mar 2023 12:00 EDT 16 Mar 2023 13:30 EDT Meeting (16 Mar)
* K Meet 16 Mar 2023 10:00 EDT 16 Mar 2023 12:00 EDT Meeting (16 Mar)

When I put it into an Enhanced Timeline it looks as expected and works correctly, I just want to highlight the * meetings or make them standout somehow

Enhanced timeline highlight certain events- Is there anything I can do in the search?

other

table

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?