Splunk Search

How do I add time stamp or label onto my timechart to mark a specific time/event?

sharonmok
Path Finder

Hi! I've got a very simple timechart query that pulls up number of user sessions per day. What I want to do is to add a label or a line that marks when a major event occurred so I can see how the user sessions have changed after it. How do I go about adding these labels?

Query being used:
| timechart span=1day@day dc(session_id) values(session_id)

niketn
Legend

@sharonmok, if you are on Splunk 7+ you can take advantage of Event Annotations

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

sharonmok
Path Finder

Unfortunately, I'm on 6.6.4

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

One simple way to do this is just to add another field to cause a "blip" at the date/time that you want. This could be done either by ...

| timechart span=1day@day dc(session_id) values(session_id)
| eval blip=case(_time=the time of the event, 1000)

... or by ...

| append [|makeresults | eval _time=the time of the event, blip=1000 | table _time blip]
| timechart span=1day@day dc(session_id) values(session_id) max(blip) 

sharonmok
Path Finder

Thanks for your reply. I tried both of these and unfortunately, a blip doesn't get created. It's just the same chart.

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...