How do I add time stamp or label onto my timechart...

sharonmok · ‎06-27-2018

Hi! I've got a very simple timechart query that pulls up number of user sessions per day. What I want to do is to add a label or a line that marks when a major event occurred so I can see how the user sessions have changed after it. How do I go about adding these labels?

Query being used:
| timechart span=1day@day dc(session_id) values(session_id)

niketn · ‎06-27-2018

@sharonmok, if you are on Splunk 7+ you can take advantage of Event Annotations

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

sharonmok · ‎06-27-2018

Unfortunately, I'm on 6.6.4

DalJeanis · ‎06-27-2018

One simple way to do this is just to add another field to cause a "blip" at the date/time that you want. This could be done either by ...

| timechart span=1day@day dc(session_id) values(session_id)
| eval blip=case(_time=the time of the event, 1000)

... or by ...

| append [|makeresults | eval _time=the time of the event, blip=1000 | table _time blip]
| timechart span=1day@day dc(session_id) values(session_id) max(blip)

sharonmok · ‎07-04-2018

Thanks for your reply. I tried both of these and unfortunately, a blip doesn't get created. It's just the same chart.

How do I add time stamp or label onto my timechart to mark a specific time/event?

Unlock Database Monitoring with Splunk Observability Cloud

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

Join the Conversation

How do I add time stamp or label onto my timechart to mark a specific time/event?

Unlock Database Monitoring with Splunk Observability Cloud

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk