Timelines

Use a timeline to visualize activity intervals and events over time for a set of resources. You can use a timeline for various use cases, such as tracking resource utilization, project timelines, or event patterns over time.

Each lane in a timeline represents a resource. An interval with a defined start time and duration appears as a horizontal bar. A discrete event with only a start time appears as a circle.

A timeline with 7 lanes tracking 5 categories over time.

Data formatting

Use timelines to display data for a single data series or multiple data series. Use a transforming command to aggregate values. You can use the table command with the following syntax:

... | table _time <resource_field> [<duration_field>] [<color_field>] [<tooltip_field>]

The following provides details on the fields for the table command:


Field	Required or optional	Description
`_time`	Required	Indicates event start time
`<resource_field>`		Indicates resource or category to plot on the timeline
`[<duration_field>]`		Indicates event duration. To only show events as discrete in the timeline, set the duration field to 0.
`[<color_field>]`	Optional	Determines colors for events and activity intervals. Required to configure dynamic coloring
`[<tooltip_field>]`	Optional	Additional field to display in tooltip when hovering over interval or event

Generate a timeline

Select the Add chart button ( ) in the editing toolbar and browse through the available charts. Choose the timeline.
Set up a new data source by selecting + Create search and adding a search to the SPL query window. Or, you can select an existing data source under the Search, Saved search, or Chain search sections.
(Optional) You can also write a new ID that describes the search better than the default by changing the ID in Data source name.
Select Apply and close.

Configuration Panel options for timelines

Title

Give your visualization a name. The title name is also helpful when searching for individual visualizations in the dashboard definitions and is not the same as the automatically assigned unique ID.

Description

Give your visualization a description to explain what the user is viewing.

Data sources

Choose an existing search or create a new one.

Visibility

Optionally hide the visualization when data is unavailable and configure custom visibility conditions.

Position and size

You can use your cursor or the Position and size section of the Configuration panel to change the size or location of the visualization for pixel-perfect sizing and placement.

Data configurations

Select the X list to pick the field for the visualization x-axis.
Select the Y list to pick the field for the visualization y-axis.
Select the Duration list to pick the field that defines event duration. Events with a duration display as bars instead of circles.
Select the Category list to pick the field that assigns categories to events. The visualization colors the events based on their category.
Select the Additional Tooltip Fields list to pick extra fields to display in tooltips. These fields and their values show when hovering over events in addition to the default tooltip information.

Data display

Select the Lane label width setting to specify the width in pixels for y-axis labels.

Color and style

You can customize how events are colored in the visualization by choosing one of two approaches:

Series colors: use a predefined color palette to assign fixed colors to each series.
Dynamic coloring

Apply colors dynamically based on data values. You can:
- Color by Ranges to assign colors based on numeric ranges (e.g., values less than 25 are red, between 25 and 50 are orange, between 50 and 75 are yellow, and 75 or higher are green).
- Color by Matches to assign colors to specific values (e.g., “Error” is red, “Warning” is orange, and “Success” is green).
  - Use the asterisk (*) character as a wildcard in match values to represent any number of characters in a string. You can place an asterisk anywhere within the string. Matching prioritizes exact values, followed by values with more common characters. If multiple match values share the same length and number of wildcards, they will be matched according to their order of entry.

Legend

Use Position to choose the position of the legend.
Use Truncation to choose how legend labels are truncated when they overflow the layout boundaries by choosing where to place ellipses (...)

Interactions

Use drilldown to create interactivity with the different map layers. For example, with drilldown, users can click on a bubble to set a token which you can use to open a secondary search using the clicked values. For more details about setting tokens, see Setting tokens on a visualization click.

Source code

Select your visualization or its search to view and edit the source code in real time. You can also change the Visualization ID to a more readable ID to help identify this visualization in the source code.

Timeline example

A timeline with 3 lanes tracking attack types by network segment over time.

Expand this window to see the source code for the example timeline.

{
    "dataSources": {
        "primary": "ds_ZDwPn84c"
    },
    "options": {
        "backgroundColor": "transparent",
        "category": "> primary | seriesByName('attack_type')",
        "legendDisplay": "right",
        "dataColors": "",
        "seriesColors": [
            "#7B56DB",
            "#009CEB",
            "#00CDAF",
            "#DD9900",
            "#FF677B",
            "#CB2196",
            "#813193",
            "#0051B5",
            "#008C80",
            "#99B100",
            "#FFA476",
            "#FF6ACE",
            "#AE8CFF",
            "#00689D",
            "#00490A",
            "#465D00",
            "#F6540B",
            "#FF969E",
            "#E47BFE"
        ]
    },
    "title": "Attack Types by Network Segment Over Time",
    "type": "splunk.timeline",
    "containerOptions": {
        "description": {
            "color": "#000000"
        },
        "title": {
            "color": "#000000"
        }
    },
    "context": {
        "dataColorConfig": [
            {
                "to": 20,
                "value": "#D41F1F"
            },
            {
                "from": 20,
                "to": 40,
                "value": "#D94E17"
            },
            {
                "from": 40,
                "to": 60,
                "value": "#CBA700"
            },
            {
                "from": 60,
                "to": 80,
                "value": "#669922"
            },
            {
                "from": 80,
                "value": "#118832"
            }
        ]
    },
    "showProgressBar": true,
    "showLastUpdated": false
}

Source options for timelines

The following options are available for editing timelines in the source editor:


Property	Type	Default	Description
x	(string \| number)[]	> primary \| seriesByType("time")	Specify the data source applied to the x-axis.
y	(string \| number)[]	> primary \| seriesByPrioritizedTypes("string", "number")	Specify the data source applied to the y-axis.
duration	(string \| number)[]	> primary \| seriesByPrioritizedTypes("number", "time")	Specify the data source to apply duration to events (renders events over a length of time as a bar rather than a circle).
category	(string \| number)[]	> primary \| seriesByName("category")	Specify the data source to apply series categories (colors events into distinct categories).
xField	string	> x \| getField()	Specify the field that should be mapped to the x-axis.
yField	string	> y \| getField()	Specify the field that should be mapped to the y-axis.
durationField	string	> duration \| getField()	Specify the field that should be mapped to the x-axis.
categoryField	string	> category \| getField()	Specify the field that should be mapped to the y-axis.
additionalTooltipFields	string[]	[]	Specify the fields to add to the default set of tooltips. Tooltips appear when you hover over events, showing these fields and values in addition to the defaults.
backgroundColor	string	> themes.defaultBackgroundColor (Enterprise light: #ffffff, Enterprise dark: #000000, Prisma dark: #0b0c0e)	Specify the color for the background. May use a data source. Accepts transparent, rgb(...), rgba(...), or theme-based values.
dataColors	(string \| array)	Not defined by default (falls back to seriesColors)	Specify the colors to use for events. Can be an array of colors or a data source for dynamic coloring.
legendDisplay	string	off	Specify the location of the legend on the panel. Options: "right", "bottom", "off".
legendTruncation	string	ellipsisEnd	Specify how to display legend labels when they overflow (ellipsis at end, middle, start, or disabled).
resultLimit	number	10000	Specify the maximum number of events to render on the timeline (useful for performance tuning).
seriesColors	string[]	["#7B56DB", "#009CEB", "#00CDAF", "#DD9900", "#FF677B", "#CB2196", "#813193", "#0051B5", "#008C80", "#99B100", "#FFA476", "#FF6ACE", "#AE8CFF", "#00689D", "#00490A", "#465D00", "#9D6300", "#F6540B", "#FF969E", "#E47BFE"]	Specify the colors used for a series.
yAxisLabelWidth	number	100	Specify the width (in pixels) for y-axis labels.