I want to draw a horizontal line across the following column time chart made out of a saved search
| timechart span=1mon avg(numDropPkt) as avgDrop BY host
Adding " |eval threashold = 100" gave me a few more column bars of value 100 (and the number of newly added columns is equal to the number of months searched), not a horizonal line.
The following link asked the same question, but the answer is very high level.
http://splunk-base.splunk.com/answers/71142/horizontal-line-in-flash-bar-chart
http://splunk-base.splunk.com/answers/9053/example-of-chart-overlay
There is an answer for how to do it with a flashchart. It cannot be done with a JSChart.
http://splunk-base.splunk.com/answers/9053/example-of-chart-overlay
There is an answer for how to do it with a flashchart. It cannot be done with a JSChart.
This is how to format for charting use. You still need to have the data as results from your search be it from an append or from an eval.
Try this:
yoursearchhere
| append [ sourcetype=yoursourcetype | addinfo | where _time >= info_min_time AND time <= info_max_time
| eval numDropPkt = 100 | eval host="Threshold" ]
| timechart span=1mon avg(numDropPkt) as avgDrop by host
BTW, the only purpose of the sourcetype=yoursourcetype
is to obtain some events to transform into the values that I want. Any sourcetype would work if it has at least one event per month over the duration that you are searching - and fewer events would be better.
Thank you very much for your willingness to help. There is still no line show in the column graph. I am not sure why the table view tab, as I'd like a graph rather than a table report. And also since I do not understand the logic behind the script, I cannot really test/twist your script to fit my data. It could be just I did not use your script correctly.
Try this
yoursearchhere
| append [ sourcetype=yoursourcetype | addinfo | where _time >= info_min_time AND time <= info_max_time
| eval numDropPkt = 100 | eval host="Threshold" ]
| timechart limit=0 cont=T fixedrange=F span=1mon avg(numDropPkt) as avgDrop by host
And look at the Table View tab.
I am trying to do a similar thing here-- simply draw a line across my graph showing a "full_capacity" line.
I've tried
mysearch | eval capacity=100 | stats max(capacity) to no avail.
Also capacity=tonumber(100) is no different.
A new way to do this?
Alternatively, to clearly label the top of my chart's Y-axis? Choosing the value in the dashboard UI doesn't label the top.
Thanks!
It was 9 in one example but can vary.
How many hosts are you trying to show in this chart?
Thanks! I tried the scripts and ensured "sourcetype=yoursourcetype" has events per month, however, there is no horizontal line showing up in the chart.