Hello,
I am trying to use the custom splunk visualisation.
I have formatted my search as the following:
index=my_index my_search
| timechart span=30s sum(qty) as "Qty"
However, when trying to apply the timeline visualization, each qty is displayed on it's own row instead of a single row with each 30s sum shown.
Each one of the blue circles represents a qty.
Below is what I am trying to achieve, each 30s bin shows a blue event circle and when mouseover it shows the sum of qty in that bin.
Below is the format of my data
| _time | qty |
| 2023-03-23 09:46:00 | 80 |
| 2023-03-23 09:46:30 | 85 |
| 2023-03-23 09:47:00 | 180 |
| 2023-03-23 09:47:30 | 276 |
| 2023-03-23 09:48:00 | 120 |
| 2023-03-23 09:48:30 | 390 |
| 2023-03-23 09:49:00 | 411 |
| 2023-03-23 09:49:30 | 125 |
| 2023-03-23 09:50:00 | 173 |
| 2023-03-23 09:50:30 | 40 |
| 2023-03-23 09:51:00 | 314 |
Thank you for any help.
Ultimately I want to see different fields on each row, this one will be qty, the next will be rating etc
Hi,
It's not quite an intended timeline use case, but you can obtain the desired result by adding a resource field with value "Qty" and a dummy/null color field:
| tstats count as qty where index=_internal earliest=-1h@h latest=@h by _time span=30s
| eval qty=if(qty%2==0, null(), qty)
| search qty=*
```end mock data```
| eval ```resource/row``` resource="Qty"
```include a dummy color field to render circles```
| table _time resource color qty
