Splunk Search

How to create a timeline of unique events using field and group by date field?

Path Finder

I would like to create a timeline chart panel that displays the distinct count of events based on some field and then groups the timeline based on a string datetime field. I think I have it but need to confirm this is the right and best way.

sourcetype="data.stats" | where message_type="Check" | convert timeformat="%Y-%m-%d" ctime(pdate) AS date | timechart dc(check_id) by date

I think it's right but not sure as it does resemble this panel which would be correct if the date field corresponded to the current datetime.

sourcetype="data.stats" | where message_type="Check" | timechart dc(check_id)

Appreciate help on this.

0 Karma

Splunk Employee
Splunk Employee

@jdepp - Did one of the answers below help provide a solution your question? If yes, please click “Accept” below the best answer to resolve this post and upvote anything that was helpful. If no, please leave a comment with more feedback. Thanks.

0 Karma

Revered Legend

I think something like this would work for you. The timechart axis will be based on values of field pdate.

sourcetype="data.stats" | where message_type="Check" | eval _time=strptime(pdate,"%Y-%m-%d") | timechart dc(check_id) as check_id_count
0 Karma

Splunk Employee
Splunk Employee

Instead of using timechart you can use the chart command instead.

... | timechart span=s f(x) by y

is essentially the same as

... | chart f(x) by _time span=s, y

see this answer https://answers.splunk.com/answers/9730/using-a-different-time-base-on-timechart.html.

So with that maybe you could try this

sourcetype="data.stats" | where message_type="Check" | convert timeformat="%Y-%m-%d" ctime(pdate) AS date | chart dc(check_id) by date span=1m

Get Updates on the Splunk Community!

Thanks for the Memories! Splunk University, .conf24, and Community Connections

Thank you to everyone in the Splunk Community who joined us for .conf24 – starting with Splunk University and ...

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...