Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do you show events on a timeline?

chustar
Path Finder
‎08-02-2016 06:11 PM

Assuming I'm showing events on a timeline, say for example, timechart count(sign_ins) by date_hour

date_hour | user sign ins
10        | 120
11        | 151
12        | 122
13        | 100
14        | 532
15        | 332

And then I wish to show some markers on that timeline, e.g. stats first (promo_email) by date_hour

 date_hour | email sent   
 10        | 'bacn'       
 13        | 'free stuff'

How could I represent the relationship between these two concepts in the same chart/report/dashboard?

Edit:
The relationship between them being that an event in the second search could cause a spike in the first search but splunk does not seem to have a way to draw lines/markers to show these.

0 Karma
Reply

MuS
Legend
‎08-02-2016 06:40 PM

Hi chustar,

you can combine both searches and simply use:

 your base search here | timechart count(sign_ins) AS sign_ins first(promo_email) AS promo_email by date_hour

But be aware that you should not use the date_* fields; see this answer to learn more on that https://answers.splunk.com/answers/387130/why-is-date-hour-inconsistent-with-h.html

Hope this helps ...

cheers, MuS

Update:

The problem is that you want to show numbers and strings on a timechart, therefore this is tricky. But there is an eval trick where you can use values and make them field names 😉

Take a look at this run everywhere command which will count kbps and use the first source of each hour as the filed name:

 index=_internal source=* 
| bin _time span=1h | streamstats first(source) AS first_source_by_hour by _time 
| fields first_source_by_hour kbps 
| eval {first_source_by_hour}=kbps 
| timechart span=1h sum(*) AS * | fields - kbps

The result in a bar chart will look like this:

alt text

So, you could use your email promo instead of source and show it this way.

Reply

chustar
Path Finder
‎08-02-2016 07:19 PM

Thanks MuS. This is what I'm doing now. I can keep it as a table, but I was hoping there was someway I don't know of to show it in a single chart (vertical line when the email is sent), or to call out that potential relationship somewhat better.
And thanks for the date_* tip.

0 Karma
Reply

MuS
Legend
‎08-02-2016 07:59 PM

little update ping with a new idea

0 Karma
Reply
Get Updates on the Splunk Community!

The Latest Cisco Integrations With Splunk Platform!

Join us for an exciting tech talk where we’ll explore the latest integrations in Cisco + Splunk! We’ve ...

Enterprise Security Content Update (ESCU) | New Releases

In April, the Splunk Threat Research Team had 2 releases of new security content via the Enterprise Security ...

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...
Top