Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to change timeline's span while not changing event's span

zucler
Explorer
‎05-19-2012 03:22 AM

Hi guys,

I faced this problem when implemented "Export" functionality to my reports. Unfortunately, time there was only displayed as a non-readable timestamp, so I had to convert the _time value to a human-readable string.

It resulted in my X-axis to look like a complete mess

alt text

It seems that the _time change has also changed my span parameter, though it's actually empty. Anyway, the thing is that I now need span=2h for the search results (i.e. the actual line), but I don't need to see that many "time sockets" on the bottom.

What I'm looking for is something like the default timeline, like that:

alt text

Where report's line does not necessarily have a timeline slot allocated at each results set.

So I was wondering, if there is a module or a parameter that I can use in order to specify the span parameter particularly for the timeline, not for the whole search.

Alternatively, is there a way to format the _time value exported into the CSV, so that the online report will remain untouched?

Thanks.

Tags (3)
0 Karma
Reply

lguinn2
Legend
‎05-19-2012 02:27 PM

Try this:

yoursearchstuffhere |
eval timestamp = strftime(_time,"%x %X") |
exportstuffhere |
timechart span=1h fixedrange=f fieldtoChart

What this does is create a new field called timestamp that is human-readable. Export that, and don't jank with _time. (You can, but it makes a mess as you see.) I may not have the span option set the way you want on the timechart, but I think you can see the options. Once you get the timechart, choose Format Options to change it to a bar chart and it will look more like the timeline.

I hope I understood the question!

0 Karma
Reply

lguinn2
Legend
‎05-21-2012 12:20 PM

results

Should make the module export the results, not the events. This might include the timestamp field. Not sure what other things can be set on the Export.

0 Karma
Reply

zucler
Explorer
‎05-19-2012 07:23 PM

The thing is that I'm using Export module in order to export my reports. It's not query-based.

I thought about the idea you suggest, but couldn't find any documented information on how to specify inputs for the Export module.

Thanks anyway!

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...