How to create a timeline of unique events using fi...

jdepp · ‎01-09-2017

I would like to create a timeline chart panel that displays the distinct count of events based on some field and then groups the timeline based on a string datetime field. I think I have it but need to confirm this is the right and best way.

sourcetype="data.stats" | where message_type="Check" | convert timeformat="%Y-%m-%d" ctime(pdate) AS date | timechart dc(check_id) by date

I think it's right but not sure as it does resemble this panel which would be correct if the date field corresponded to the current datetime.

sourcetype="data.stats" | where message_type="Check" | timechart dc(check_id)

Appreciate help on this.

aaraneta_splunk · ‎01-21-2017

@jdepp - Did one of the answers below help provide a solution your question? If yes, please click “Accept” below the best answer to resolve this post and upvote anything that was helpful. If no, please leave a comment with more feedback. Thanks.

somesoni2 · ‎01-09-2017

I think something like this would work for you. The timechart axis will be based on values of field pdate.

sourcetype="data.stats" | where message_type="Check" | eval _time=strptime(pdate,"%Y-%m-%d") | timechart dc(check_id) as check_id_count

kmccririe_splun · ‎01-09-2017

Instead of using timechart you can use the chart command instead.

... | timechart span=s f(x) by y

is essentially the same as

... | chart f(x) by _time span=s, y

see this answer https://answers.splunk.com/answers/9730/using-a-different-time-base-on-timechart.html.

So with that maybe you could try this

sourcetype="data.stats" | where message_type="Check" | convert timeformat="%Y-%m-%d" ctime(pdate) AS date | chart dc(check_id) by date span=1m

How to create a timeline of unique events using field and group by date field?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms