How to add the multiple timelines into one timelin...

RENUKA1 · ‎11-30-2023

Hello All,
I need to convert the Timeline with different times into one.
For example:
12:05AM 12:10AM 12:15AM should be taken as 12AM
1:05AM 1:10AM 1:15AM should be taken as 1AM and vice versa.

Can you please help me to write a query for this.

Timeline

Top 10 Values

Count	%
01:10:02 AM	2	0.368%
01:20:02 PM	2	0.368%
01:30:02 AM	2	0.368%
01:35:02 PM	2	0.368%
01:45:02 PM	2	0.368%
01:50:02 AM	2	0.368%
02:05:02 PM	2	0.368%
02:10:02 PM	2	0.368%
02:40:02 PM	2	0.368%
03:05:02 PM

Thank you.

RENUKA1 · ‎12-06-2023

@bowesmana Thanks for help
but I need the output in AM and PM sequence.Here is my actual output

01:00:02 AM	9.14
01:00:02 PM	12.06
01:05:02 AM	10.00
01:05:02 PM	11.17
01:10:02 AM

I except the output to be in first all the AM time should be display and followed by PM

01:00:02 AM	9.14
01:00:02 AM	12.06
01:05:02 AM	10.00
01:05:02 PM	11.17
01:10:02 PM

yuanliu · ‎12-07-2023

This is confusing. The order of output is determined by the order in which your data comes back from index search, not altered by bin command that @bowesmana suggests. If your data input is not ordered, simply sort your data.

| bin _time span=1h
| sort _time

bowesmana · ‎11-30-2023

Use the bin command, e.g.

| bin _time span=1h

How to add the multiple timelines into one timeline.

Timeline

eval

Introducing the Splunk Community Dashboard Challenge!

Wondering How to Build Resiliency in the Cloud?

Updated Data Management and AWS GDI Inventory in Splunk Observability