Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Annotation of graph not working when i use the below command.

marvinlee93
Explorer
‎02-28-2019 10:27 PM

Hi all. I'm facing some issues in displaying annotations for my graphs. I suspect that something is wrong when I use 2 STREAMSTATS command. My annotation for that particular graph seems to stop working.

When I run this code, it works!

index="alarm"
| streamstats avg(alarmcount) as average stdev(alarmcount) as standev

| eval threeSigmaLimit = (average + (standev * 3))
| where alarmcount > threeSigmaLimit | eval annotation_label = index | eval annotation_color = "0xff9900"
| table _time annotation_label alarmcount
$field1.earliest$
$field1.latest$

However, when I run this code. The annotation disappears.

index="alarm"
| streamstats window=2 min(alarmcount3) as minimum
| eval is_increase=if(alarmcount3!=minimum,1,0)
| streamstats window=7 sum(is_increase) as increases
| where increases>=7
| eval increase_index = index2 - 6
| eval annotation_label = increase_index| eval annotation_color = "0xff9900"
| table _time annotation_label alarmcount3
$field1.earliest$
$field1.latest$

any idea whY??

Tags (1)
0 Karma
Reply

nikita_p
Contributor
‎02-28-2019 11:06 PM

Hi,
When you run the 2nd search do you get any output or only annotation disappears?

0 Karma
Reply

marvinlee93
Explorer
‎03-01-2019 12:48 AM

Hi, I get the output but not the annotation. I'm suspecting the 'double' streamstats command is affecting it.

alt text

0 Karma
Reply

nikita_p
Contributor
‎03-01-2019 03:11 AM

Hi,
Don't run your search completely but try running it part by part so that you can find which part of your search is going wrong.

0 Karma
Reply

marvinlee93
Explorer
‎03-03-2019 05:51 PM

Yup! I did. I realised that if I remove the '2nd' streamstats command, everything works. Hmmm... I really think that it isn't the code that has a problem here..

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...