Dashboards & Visualizations
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Add a Static Baseline?

tfitzgerald15
Explorer
‎10-02-2013 07:11 AM

I'm trying to set up a dashboard panel to automatically alert me every time the number of critical or high threat hits goes over a pre-determined baseline. Right now I have that manually calculated, but I can go through and tweak that later. So, what I've got so far:

sourcetype="pan_threat" (severity="high" OR "critical") | timechart span=1h count by date | eval Baseline=1240 | stats first(Baseline) as Baseline

I expected this to chart the normal graph of count by date that I've been using, then append a line at the value of Baseline for each day. Instead, I get this.

Baseline

1 1240

Any thoughts on why it's not working?

0 Karma
Reply

sdaniels
Splunk Employee
Splunk Employee
‎10-02-2013 07:20 AM

Your last command is a stats command so you get that view.

Updated:

<...> | timechart count, first(BaseLine) as Baseline by date | eval BaseLine=1240
Reply

sdaniels
Splunk Employee
Splunk Employee
‎10-02-2013 08:03 AM

This works for me, i just moved the split by date after the first(BaseLine) as Baseline. If you create a line chart you should then see the two lines you are looking for.

<...> | timechart count, first(BaseLine) as Baseline by date | eval BaseLine=1240

0 Karma
Reply

tfitzgerald15
Explorer
‎10-02-2013 07:51 AM

That is a lot better. I just completely got rid of the "By Date". However, now the baseline appears broken up. Wish I could post links, I'd show you an image of what I see.

0 Karma
Reply

sdaniels
Splunk Employee
Splunk Employee
‎10-02-2013 07:45 AM

Oh yeah sorry, the by date part is messing that up. I think you can move the split 'by date' to the end. I'm on my phone right now but will check this for you later.

0 Karma
Reply

tfitzgerald15
Explorer
‎10-02-2013 07:28 AM

And then I get the following error.

Error in 'timechart' command: The argument 'first(baseline)' is invalid.

0 Karma
Reply
Get Updates on the Splunk Community!

App Platform's 2025 Year in Review: A Year of Innovation, Growth, and Community

As we step into 2026, it’s the perfect moment to reflect on what an extraordinary year 2025 was for the Splunk ...

Operationalizing Entity Risk Score with Enterprise Security 8.3+

Overview Enterprise Security 8.3 introduces a powerful new feature called “Entity Risk Scoring” (ERS) for ...

Unlock Database Monitoring with Splunk Observability Cloud

  In today’s fast-paced digital landscape, even minor database slowdowns can disrupt user experiences and ...