Archive

Annotation of graph not working when i use the below command.

Explorer

Hi all. I'm facing some issues in displaying annotations for my graphs. I suspect that something is wrong when I use 2 STREAMSTATS command. My annotation for that particular graph seems to stop working.

When I run this code, it works!

index="alarm"
| streamstats avg(alarmcount) as average stdev(alarmcount) as standev

| eval threeSigmaLimit = (average + (standev * 3))
| where alarmcount > threeSigmaLimit | eval annotation_label = index | eval annotation_color = "0xff9900"
| table _time annotation_label alarmcount

$field1.earliest$
$field1.latest$

However, when I run this code. The annotation disappears.

index="alarm"
| streamstats window=2 min(alarmcount3) as minimum
| eval is_increase=if(alarmcount3!=minimum,1,0)
| streamstats window=7 sum(is_increase) as increases
| where increases>=7
| eval increase_index = index2 - 6
| eval annotation_label = increase_index| eval annotation_color = "0xff9900"
| table _time annotation_label alarmcount3

$field1.earliest$
$field1.latest$

any idea whY??

Tags (1)
0 Karma

Contributor

Hi,
When you run the 2nd search do you get any output or only annotation disappears?

0 Karma

Explorer

Hi, I get the output but not the annotation. I'm suspecting the 'double' streamstats command is affecting it.

alt text

0 Karma

Contributor

Hi,
Don't run your search completely but try running it part by part so that you can find which part of your search is going wrong.

0 Karma

Explorer

Yup! I did. I realised that if I remove the '2nd' streamstats command, everything works. Hmmm... I really think that it isn't the code that has a problem here..

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!