Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Add a Static Baseline?

tfitzgerald15
Explorer
‎10-02-2013 07:11 AM

I'm trying to set up a dashboard panel to automatically alert me every time the number of critical or high threat hits goes over a pre-determined baseline. Right now I have that manually calculated, but I can go through and tweak that later. So, what I've got so far:

sourcetype="pan_threat" (severity="high" OR "critical") | timechart span=1h count by date | eval Baseline=1240 | stats first(Baseline) as Baseline

I expected this to chart the normal graph of count by date that I've been using, then append a line at the value of Baseline for each day. Instead, I get this.

Baseline

1 1240

Any thoughts on why it's not working?

0 Karma
Reply

sdaniels
Splunk Employee
Splunk Employee
‎10-02-2013 07:20 AM

Your last command is a stats command so you get that view.

Updated:

<...> | timechart count, first(BaseLine) as Baseline by date | eval BaseLine=1240
Reply

sdaniels
Splunk Employee
Splunk Employee
‎10-02-2013 08:03 AM

This works for me, i just moved the split by date after the first(BaseLine) as Baseline. If you create a line chart you should then see the two lines you are looking for.

<...> | timechart count, first(BaseLine) as Baseline by date | eval BaseLine=1240

0 Karma
Reply

tfitzgerald15
Explorer
‎10-02-2013 07:51 AM

That is a lot better. I just completely got rid of the "By Date". However, now the baseline appears broken up. Wish I could post links, I'd show you an image of what I see.

0 Karma
Reply

sdaniels
Splunk Employee
Splunk Employee
‎10-02-2013 07:45 AM

Oh yeah sorry, the by date part is messing that up. I think you can move the split 'by date' to the end. I'm on my phone right now but will check this for you later.

0 Karma
Reply

tfitzgerald15
Explorer
‎10-02-2013 07:28 AM

And then I get the following error.

Error in 'timechart' command: The argument 'first(baseline)' is invalid.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk on November 6 at 11AM PT, and empower your SOC to reach new heights! Duration: ...

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...