That's true, Splunk adds one at index time, but the time this happens depends on how you are consuming the data (over network, local/remote file/dir monitoring, etc) and the frequency/polling between updates. Whenever there is a new measure, the file gets updated or is it done in bigger chunks? I believe it's is "safer" to rely on -your- timestamp, especially giving that that might exist a delay between any stage of data transport, especially if it's over the network, etc. ... View more

Don't you have any time-value available on the log/line? If you don't have the exact time of the measurement, then you would just have the time when the file itself was generated, right? ... View more

Can you shows us a sample of the log as well as a sample graph? I'm afraid you simply graph it using Splunk's default "line chart". ... View more

I would suggest you using transaction command if the data volume is not so high. The biggest advantage is that it enables you to aggregate similar events from the distinct sources in one transaction while providing a "duration" field based on the _time used between the similar events. By using eval's mvindex() you are then able to keep only the last or first events from the transaction. ... View more

That's likely possible with XML tweaking or by using a custom D3/Chart. There is an easy way to display at the bottom though, where you see the labels/legend: search | stats count by field | eval field=field."(".count.")" ... View more

Hi yoho, see if this article helps you shed some light: http://foren6.wordpress.com/2014/11/18/why-is-my-splunk-transaction-not-working/ ... View more

Yeah, the magic mvlist does the job, I've provided an example usage here as well: http://foren6.wordpress.com/2014/11/18/why-is-my-splunk-transaction-not-working/ ... View more

Hey guys, I've put together a small article addressing some of those issues with transactions, happy to receive feedback! http://foren6.wordpress.com/2014/11/18/why-is-my-splunk-transaction-not-working/ ... View more