Splunk Search

How to change timeline's span while not changing event's span

Explorer

Hi guys,

I faced this problem when implemented "Export" functionality to my reports. Unfortunately, time there was only displayed as a non-readable timestamp, so I had to convert the _time value to a human-readable string.

It resulted in my X-axis to look like a complete mess

alt text

It seems that the _time change has also changed my span parameter, though it's actually empty. Anyway, the thing is that I now need span=2h for the search results (i.e. the actual line), but I don't need to see that many "time sockets" on the bottom.

What I'm looking for is something like the default timeline, like that:

alt text

Where report's line does not necessarily have a timeline slot allocated at each results set.

So I was wondering, if there is a module or a parameter that I can use in order to specify the span parameter particularly for the timeline, not for the whole search.

Alternatively, is there a way to format the _time value exported into the CSV, so that the online report will remain untouched?

Thanks.

Tags (3)
0 Karma

Legend

Try this:

yoursearchstuffhere |
eval timestamp = strftime(_time,"%x %X") |
exportstuffhere |
timechart span=1h fixedrange=f fieldtoChart

What this does is create a new field called timestamp that is human-readable. Export that, and don't jank with _time. (You can, but it makes a mess as you see.) I may not have the span option set the way you want on the timechart, but I think you can see the options. Once you get the timechart, choose Format Options to change it to a bar chart and it will look more like the timeline.

I hope I understood the question!

0 Karma

Legend

results

Should make the module export the results, not the events. This might include the timestamp field. Not sure what other things can be set on the Export.

0 Karma

Explorer

The thing is that I'm using Export module in order to export my reports. It's not query-based.

I thought about the idea you suggest, but couldn't find any documented information on how to specify inputs for the Export module.

Thanks anyway!

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!