How to create a timeline table?

faustf · ‎10-01-2023

Hi,
we are logging api requests in Splunk.

I would like to create a sort of health check table where every column represents the status code of the last API call in previous 5 minutes. While each row is a different API.

Here an example of what the output should be

Any Idea how I could achieve that in Splunk?

Each row represents a different API ( request.url), while the status code is stored in response.status

Thank you

richgalloway · ‎10-01-2023

See if this helps. It uses actual times rather than relative ones, but the format is there.

index=_internal status=* earliest=-30m 
``` Get the most recent status for each API every 5 minutes
| timechart span=5m latest(status) as status by API
``` Convert timestamp to time (HH:MM) ```
| eval _time=strftime(_time,"%H:%M") 
``` Flip the display so time is across the top and API down the side ```
| transpose 0 header_field=_time column_name="API" 
``` Fill in blank cells ```
| fillnull value="-"

---
If this reply helps you, Karma would be appreciated.

faustf · ‎10-03-2023

Very good this is what I was looking for. Thank you.

Do you know how I can now color each cell depending on the status code?

Usually I use the following configuration in the dashboard

<format type="color" field="status">
  <colorPalette type="expression">case(value like "5%","#D6563C",value like "4%","#F2B827",value like "3%","#A2CC3E",value like "2%","#65A637",true(),null)</colorPalette>
</format>

but it is not working now (I suppose because of the transpose command).

richgalloway · ‎10-04-2023

I suspect you are right, but you probably should post a separate question about that.

---
If this reply helps you, Karma would be appreciated.

How to create a timeline table?

table

Developer Spotlight with Brett Adams

Index This | What can you do to make 55,555 equal 500?

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...