Dashboards & Visualizations
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Add a Static Baseline?

tfitzgerald15
Explorer
‎10-02-2013 07:11 AM

I'm trying to set up a dashboard panel to automatically alert me every time the number of critical or high threat hits goes over a pre-determined baseline. Right now I have that manually calculated, but I can go through and tweak that later. So, what I've got so far:

sourcetype="pan_threat" (severity="high" OR "critical") | timechart span=1h count by date | eval Baseline=1240 | stats first(Baseline) as Baseline

I expected this to chart the normal graph of count by date that I've been using, then append a line at the value of Baseline for each day. Instead, I get this.

Baseline

1 1240

Any thoughts on why it's not working?

0 Karma
Reply

sdaniels
Splunk Employee
Splunk Employee
‎10-02-2013 07:20 AM

Your last command is a stats command so you get that view.

Updated:

<...> | timechart count, first(BaseLine) as Baseline by date | eval BaseLine=1240
Reply

sdaniels
Splunk Employee
Splunk Employee
‎10-02-2013 08:03 AM

This works for me, i just moved the split by date after the first(BaseLine) as Baseline. If you create a line chart you should then see the two lines you are looking for.

<...> | timechart count, first(BaseLine) as Baseline by date | eval BaseLine=1240

0 Karma
Reply

tfitzgerald15
Explorer
‎10-02-2013 07:51 AM

That is a lot better. I just completely got rid of the "By Date". However, now the baseline appears broken up. Wish I could post links, I'd show you an image of what I see.

0 Karma
Reply

sdaniels
Splunk Employee
Splunk Employee
‎10-02-2013 07:45 AM

Oh yeah sorry, the by date part is messing that up. I think you can move the split 'by date' to the end. I'm on my phone right now but will check this for you later.

0 Karma
Reply

tfitzgerald15
Explorer
‎10-02-2013 07:28 AM

And then I get the following error.

Error in 'timechart' command: The argument 'first(baseline)' is invalid.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk MCP & Agentic AI: Machine Data Without Limits

  Discover how the Splunk Model Context Protocol (MCP) Server can revolutionize the way your organization ...

Finding Based Detections General Availability

Overview  We’ve come a long way, folks, but here in Enterprise Security 8.4 I’m happy to announce Finding ...

Get Your Hands Dirty (and Your Shoes Comfy): The Splunk Experience

Hands-On Learning and Technical Seminars  Sometimes, you just need to see the code. For those looking for a ...