Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do you show events on a timeline?

chustar
Path Finder
‎08-02-2016 06:11 PM

Assuming I'm showing events on a timeline, say for example, timechart count(sign_ins) by date_hour

date_hour | user sign ins
10        | 120
11        | 151
12        | 122
13        | 100
14        | 532
15        | 332

And then I wish to show some markers on that timeline, e.g. stats first (promo_email) by date_hour

 date_hour | email sent   
 10        | 'bacn'       
 13        | 'free stuff'

How could I represent the relationship between these two concepts in the same chart/report/dashboard?

Edit:
The relationship between them being that an event in the second search could cause a spike in the first search but splunk does not seem to have a way to draw lines/markers to show these.

0 Karma
Reply

MuS
Legend
‎08-02-2016 06:40 PM

Hi chustar,

you can combine both searches and simply use:

 your base search here | timechart count(sign_ins) AS sign_ins first(promo_email) AS promo_email by date_hour

But be aware that you should not use the date_* fields; see this answer to learn more on that https://answers.splunk.com/answers/387130/why-is-date-hour-inconsistent-with-h.html

Hope this helps ...

cheers, MuS

Update:

The problem is that you want to show numbers and strings on a timechart, therefore this is tricky. But there is an eval trick where you can use values and make them field names 😉

Take a look at this run everywhere command which will count kbps and use the first source of each hour as the filed name:

 index=_internal source=* 
| bin _time span=1h | streamstats first(source) AS first_source_by_hour by _time 
| fields first_source_by_hour kbps 
| eval {first_source_by_hour}=kbps 
| timechart span=1h sum(*) AS * | fields - kbps

The result in a bar chart will look like this:

alt text

So, you could use your email promo instead of source and show it this way.

Preview file
1 KB
Reply

chustar
Path Finder
‎08-02-2016 07:19 PM

Thanks MuS. This is what I'm doing now. I can keep it as a table, but I was hoping there was someway I don't know of to show it in a single chart (vertical line when the email is sent), or to call out that potential relationship somewhat better.
And thanks for the date_* tip.

0 Karma
Reply

MuS
Legend
‎08-02-2016 07:59 PM

little update ping with a new idea

0 Karma
Reply
Get Updates on the Splunk Community!

Get ready to show some Splunk Certification swagger at .conf24!

Dive into the deep end of data by earning a Splunk Certification at .conf24. We're enticing you again this ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Now On-Demand Join us to learn more about how you can leverage Service Level Objectives (SLOs) and the new ...

Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...

We’ve streamlined the troubleshooting experience for database-related service issues by adding a database ...