Splunk Search

how to add a horizontal line to a column/bar chart

myli12
Path Finder

I want to draw a horizontal line across the following column time chart made out of a saved search

| timechart span=1mon avg(numDropPkt) as avgDrop BY host

Adding " |eval threashold = 100" gave me a few more column bars of value 100 (and the number of newly added columns is equal to the number of months searched), not a horizonal line.

The following link asked the same question, but the answer is very high level.

http://splunk-base.splunk.com/answers/71142/horizontal-line-in-flash-bar-chart

Tags (2)
0 Karma
1 Solution

tfletcher_splun
Splunk Employee
Splunk Employee

http://splunk-base.splunk.com/answers/9053/example-of-chart-overlay

There is an answer for how to do it with a flashchart. It cannot be done with a JSChart.

View solution in original post

tfletcher_splun
Splunk Employee
Splunk Employee

http://splunk-base.splunk.com/answers/9053/example-of-chart-overlay

There is an answer for how to do it with a flashchart. It cannot be done with a JSChart.

tfletcher_splun
Splunk Employee
Splunk Employee

This is how to format for charting use. You still need to have the data as results from your search be it from an append or from an eval.

0 Karma

lguinn2
Legend

Try this:

yoursearchhere
| append [ sourcetype=yoursourcetype  | addinfo | where _time >= info_min_time AND time <= info_max_time
    | eval numDropPkt = 100 | eval host="Threshold" ]
| timechart span=1mon avg(numDropPkt) as avgDrop by host

BTW, the only purpose of the sourcetype=yoursourcetype is to obtain some events to transform into the values that I want. Any sourcetype would work if it has at least one event per month over the duration that you are searching - and fewer events would be better.

myli12
Path Finder

Thank you very much for your willingness to help. There is still no line show in the column graph. I am not sure why the table view tab, as I'd like a graph rather than a table report. And also since I do not understand the logic behind the script, I cannot really test/twist your script to fit my data. It could be just I did not use your script correctly.

0 Karma

lguinn2
Legend

Try this

yoursearchhere
| append [ sourcetype=yoursourcetype | addinfo | where _time >= info_min_time AND time <= info_max_time
| eval numDropPkt = 100 | eval host="Threshold" ]
| timechart limit=0 cont=T fixedrange=F span=1mon avg(numDropPkt) as avgDrop by host

And look at the Table View tab.

0 Karma

rabitoblanco
Path Finder

I am trying to do a similar thing here-- simply draw a line across my graph showing a "full_capacity" line.
I've tried
mysearch | eval capacity=100 | stats max(capacity) to no avail.
Also capacity=tonumber(100) is no different.
A new way to do this?
Alternatively, to clearly label the top of my chart's Y-axis? Choosing the value in the dashboard UI doesn't label the top.

Thanks!

0 Karma

myli12
Path Finder

It was 9 in one example but can vary.

0 Karma

lguinn2
Legend

How many hosts are you trying to show in this chart?

0 Karma

myli12
Path Finder

Thanks! I tried the scripts and ensured "sourcetype=yoursourcetype" has events per month, however, there is no horizontal line showing up in the chart.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...