Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Add a Static Baseline?

tfitzgerald15
Explorer
‎10-02-2013 07:11 AM

I'm trying to set up a dashboard panel to automatically alert me every time the number of critical or high threat hits goes over a pre-determined baseline. Right now I have that manually calculated, but I can go through and tweak that later. So, what I've got so far:

sourcetype="pan_threat" (severity="high" OR "critical") | timechart span=1h count by date | eval Baseline=1240 | stats first(Baseline) as Baseline

I expected this to chart the normal graph of count by date that I've been using, then append a line at the value of Baseline for each day. Instead, I get this.

Baseline

1 1240

Any thoughts on why it's not working?

0 Karma
Reply

sdaniels
Splunk Employee
Splunk Employee
‎10-02-2013 07:20 AM

Your last command is a stats command so you get that view.

Updated:

<...> | timechart count, first(BaseLine) as Baseline by date | eval BaseLine=1240
Reply

sdaniels
Splunk Employee
Splunk Employee
‎10-02-2013 08:03 AM

This works for me, i just moved the split by date after the first(BaseLine) as Baseline. If you create a line chart you should then see the two lines you are looking for.

<...> | timechart count, first(BaseLine) as Baseline by date | eval BaseLine=1240

0 Karma
Reply

tfitzgerald15
Explorer
‎10-02-2013 07:51 AM

That is a lot better. I just completely got rid of the "By Date". However, now the baseline appears broken up. Wish I could post links, I'd show you an image of what I see.

0 Karma
Reply

sdaniels
Splunk Employee
Splunk Employee
‎10-02-2013 07:45 AM

Oh yeah sorry, the by date part is messing that up. I think you can move the split 'by date' to the end. I'm on my phone right now but will check this for you later.

0 Karma
Reply

tfitzgerald15
Explorer
‎10-02-2013 07:28 AM

And then I get the following error.

Error in 'timechart' command: The argument 'first(baseline)' is invalid.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Get the T-shirt to Prove You Survived Splunk University Bootcamp

As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...