Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do you show events on a timeline?

chustar
Path Finder
‎08-02-2016 06:11 PM

Assuming I'm showing events on a timeline, say for example, timechart count(sign_ins) by date_hour

date_hour | user sign ins
10        | 120
11        | 151
12        | 122
13        | 100
14        | 532
15        | 332

And then I wish to show some markers on that timeline, e.g. stats first (promo_email) by date_hour

 date_hour | email sent   
 10        | 'bacn'       
 13        | 'free stuff'

How could I represent the relationship between these two concepts in the same chart/report/dashboard?

Edit:
The relationship between them being that an event in the second search could cause a spike in the first search but splunk does not seem to have a way to draw lines/markers to show these.

0 Karma
Reply

MuS
SplunkTrust
SplunkTrust
‎08-02-2016 06:40 PM

Hi chustar,

you can combine both searches and simply use:

 your base search here | timechart count(sign_ins) AS sign_ins first(promo_email) AS promo_email by date_hour

But be aware that you should not use the date_* fields; see this answer to learn more on that https://answers.splunk.com/answers/387130/why-is-date-hour-inconsistent-with-h.html

Hope this helps ...

cheers, MuS

Update:

The problem is that you want to show numbers and strings on a timechart, therefore this is tricky. But there is an eval trick where you can use values and make them field names 😉

Take a look at this run everywhere command which will count kbps and use the first source of each hour as the filed name:

 index=_internal source=* 
| bin _time span=1h | streamstats first(source) AS first_source_by_hour by _time 
| fields first_source_by_hour kbps 
| eval {first_source_by_hour}=kbps 
| timechart span=1h sum(*) AS * | fields - kbps

The result in a bar chart will look like this:

alt text

So, you could use your email promo instead of source and show it this way.

Preview file
1 KB
Reply

chustar
Path Finder
‎08-02-2016 07:19 PM

Thanks MuS. This is what I'm doing now. I can keep it as a table, but I was hoping there was someway I don't know of to show it in a single chart (vertical line when the email is sent), or to call out that potential relationship somewhat better.
And thanks for the date_* tip.

0 Karma
Reply

MuS
SplunkTrust
SplunkTrust
‎08-02-2016 07:59 PM

little update ping with a new idea

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 2 releases of new security content via the ...

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We are happy to announce the 20 lucky questers who are selected to be the first round of Champion's Tribute ...

We’ve Got Education Validation!

Are you feeling it? All the career-boosting benefits of up-skilling with Splunk? It’s not just a feeling, it's ...