Splunk Search

How to add a horizontal threshold line overlay in column chart?

splunker12er
Motivator

I have created a savedsearch which displays the Current license usage indexer wise. ("|rest" query)

x- axis : Indexer-1 , Indexer-2, Indexer-3
Y-axis :  Amount of Gb indexed .(Eg : 10,20,30,40,50)

I have created a column chart out of this records. Now, I need to add an overlay threshold line in between this column chart.

Warning threshold : 40Gb
Critical threshold   : 45Gb

How do i add these horizontal threshold lines in my column chart ?

Please advise

Tags (3)
0 Karma
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

Append this to your search:

... | eval warning = 40 | eval critical = 45

And set those two as overlay lines in the chart formatting. Needs Splunk 6.1 for the graphical formatting editor.

Did you take a look at the existing license usage report? http://host:8000/en-US/manager/search/licenseusage
That already comes with a threshold line, computed from your license size.

View solution in original post

martin_mueller
SplunkTrust
SplunkTrust

Append this to your search:

... | eval warning = 40 | eval critical = 45

And set those two as overlay lines in the chart formatting. Needs Splunk 6.1 for the graphical formatting editor.

Did you take a look at the existing license usage report? http://host:8000/en-US/manager/search/licenseusage
That already comes with a threshold line, computed from your license size.

madrum
Explorer

Step 1 is to specify ... | eval warning = 40 | eval critical = 45
Step 2, more importantly, is to open up the Format option > select Chart Overlay, in the Overlay textbox, select "warning" or whatever you call it and that will be a horizontal line on your column chart.

0 Karma

ppablo
Retired

Hi @madrum

Just comment to add additional context to an answer in the future. Please only reserve downvoting for answers that could be potentially harmful for a user's environment. To understand how voting etiquette works in this forum and Splunk community, please review this post:
https://answers.splunk.com/answers/244111/proper-etiquette-and-timing-for-voting-here-on-ans.html

madrum
Explorer

I downvoted this post because it doesn't answer the question. this suggestion adds another column, not a horizontal bar like the poster requested.

martin_mueller
SplunkTrust
SplunkTrust

The answer does mention setting the overlay in the chart formatting editor?

0 Karma

Richfez
SplunkTrust
SplunkTrust

splunker12er,

If you found this answer reasonably useful, could you please "accept" it so that future searchers will know it's a good answer to the question?

Thanks!

0 Karma

splunker12er
Motivator

my query :

'search query' | table Indexer-1,indexer-2,Indexer-3

tabulated the results and using coulmn chart view

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...