I have some ideas about this. First, you'll need your dates/times in datetime format, convertible to unix epoch time. Here's my mockup that I'm working with - run this and take a close look at the output. | makeresults format=csv data="time_start, time_end, person
2024-03-07T07:00:00-0600, 2024-03-07T11:00:00-0600, Rich
2024-03-08T07:30:00-0600, 2024-03-08T15:00:00-0600, Rich"
| eval _time = strptime(time_start, "%Y-%m-%dT%H:%M:%S%Z"), time_end_unix = strptime(time_end, "%Y-%m-%dT%H:%M:%S%Z")
| append
[| makeresults format=csv data="incident_time, incident
2024-03-07T06:50:00-0600, blizzard
2024-03-07T11:23:00-0600, hurricane
2024-03-08T13:44:00-0600, tornado
2024-03-08T18:03:00-0600, dust_storm"
| eval _time = strptime(incident_time, "%Y-%m-%dT%H:%M:%S%Z") ] I'm just making it up though - hopefully your search will look more like (index=timetracking (sourcetype="user:clockin" OR sourcetype="user:clockout") OR index=incidents)
| eval end_time_unix = strptime(<my time format string>, <my end time field>) You'll need to install the Timeline visualization from https://splunkbase.splunk.com/app/3120 Now that we have that data, the Time viz requires a specific format of data, so let's do a little work... You need a duration, right? (And it has to be in milliseconds, so in most sane environments you'll just want to multiply the "seconds" by 1000). So to the end of the above search, add this: | eval duration = if(time_end_unix>0, (time_end_unix - _time) * 1000, 0) Now, take a look at those results. The important fields are _time, duration, and incident and person. But incident and person are two different things and the visualization won't like that a lot. So let's put them together. Add to the end of *that* ... | eval item = coalesce(person, incident) Now, added to the output is "item" with either "Rich" or some random weather event. Good enough! At least for pass #1. Let's add a table command to the end of *that*... | table _time, item, duration The click the visualization tab, change it to the Timeline, and ... well it's close! Unfortunately, I don't like the blizzard, hurricane, tornado and dust_storm all being on their own lines like in this screenshot. How can we fix that? Well, one way would be to make all the incident's "names" just be "incident" so it'd show up on its own line. To do that, change the "eval item =..." line to | eval item = if(isnotnull(person), person, "incident") and leave the ending | table command. Now it looks like this I honestly think that as long as you may have multiple people's schedules, this is as good as you can get. Example with another person added in: But if you absolutely know there will never be another person, you could make them sit on top of each other by any mechanism to just make "person" always be "Rich". Here I use a fillnull command Anyway, my suggestion is to play with my examples until you understand them. Once you do, you might be able to make your own data work like this. But if you still have difficulties after all that, post back and we'll see if we can help! Also it's entirely possible someone else will come up with a completely different type of answer. I don't know, it'll be interesting if they do - there's a lot of smart folks around here and we don't all think alike! Happy Splunking, Rich
... View more