topic Re: How to add "point-in-time" annotations to a chart? in Splunk Search

How to add "point-in-time" annotations to a chart?

NaraSplunk — Wed, 24 Jun 2015 19:43:19 GMT

I'd like to "annotate" a graph which shows performance over time with what points the releases have been at.

I see that there was an idea that this feature would be available: http://answers.splunk.com/answers/4108/annotation-chart-over-line-chart-overlay.html

Did it ever get implemented, perhaps under another name? Is there a way to approximate this functionality?

Re: How to add "point-in-time" annotations to a chart?

lguinn2 — Wed, 24 Jun 2015 20:05:46 GMT

Assume that you have a CSV file with the release information, in a format like this

timestamp,releaseId
1435104000,"10.1.1"
1432425600,"9.5.3"

Note that the time is in Linux epoch format, and is just a date (ie, a timestamp at midnight). This is to make matching easier. You could do it other ways, but that would complicate the answer... Load this file as a lookup table in Splunk (Step-by-step lookup instructions)

How assume that your current search looks like this:

yoursearchhere
| timechart span=1d avg(performance_number) as perf

To add the release information, do this

yoursearchhere
| timechart span=1d avg(performance_number) as perf
| eval timestamp=relative_time(_time,"@d")
| join type=left timestamp [ inputlookup yourlookupfile.csv | eval x=100 | chart avg(x) by timestamp releaseId ]
| fields - timestamp

Use the column chart visualization, then choose a chart overlay. For the chart overlay field, chose your original field "perf". You should see a bar of height 100 for each of your releases, and a line for "perf".

Re: How to add "point-in-time" annotations to a chart?

NaraSplunk — Fri, 26 Jun 2015 21:36:46 GMT

Messy, but it'll work.

Re: How to add "point-in-time" annotations to a chart?

lguinn2 — Fri, 26 Jun 2015 22:40:07 GMT

Well, the nice thing is that you can use the same CSV file with a variety of different charts...