Splunk Search

How to create a timeline of unique events using field and group by date field?

jdepp
Path Finder

I would like to create a timeline chart panel that displays the distinct count of events based on some field and then groups the timeline based on a string datetime field. I think I have it but need to confirm this is the right and best way.

sourcetype="data.stats" | where message_type="Check" | convert timeformat="%Y-%m-%d" ctime(pdate) AS date | timechart dc(check_id) by date

I think it's right but not sure as it does resemble this panel which would be correct if the date field corresponded to the current datetime.

sourcetype="data.stats" | where message_type="Check" | timechart dc(check_id)

Appreciate help on this.

0 Karma

aaraneta_splunk
Splunk Employee
Splunk Employee

@jdepp - Did one of the answers below help provide a solution your question? If yes, please click “Accept” below the best answer to resolve this post and upvote anything that was helpful. If no, please leave a comment with more feedback. Thanks.

0 Karma

somesoni2
Revered Legend

I think something like this would work for you. The timechart axis will be based on values of field pdate.

sourcetype="data.stats" | where message_type="Check" | eval _time=strptime(pdate,"%Y-%m-%d") | timechart dc(check_id) as check_id_count
0 Karma

kmccririe_splun
Splunk Employee
Splunk Employee

Instead of using timechart you can use the chart command instead.

... | timechart span=s f(x) by y

is essentially the same as

... | chart f(x) by _time span=s, y

see this answer https://answers.splunk.com/answers/9730/using-a-different-time-base-on-timechart.html.

So with that maybe you could try this

sourcetype="data.stats" | where message_type="Check" | convert timeformat="%Y-%m-%d" ctime(pdate) AS date | chart dc(check_id) by date span=1m

Get Updates on the Splunk Community!

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...

Edge Processor Scaling, Energy & Manufacturing Use Cases, and More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...