Dashboards & Visualizations
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Add a Static Baseline?

tfitzgerald15
Explorer
‎10-02-2013 07:11 AM

I'm trying to set up a dashboard panel to automatically alert me every time the number of critical or high threat hits goes over a pre-determined baseline. Right now I have that manually calculated, but I can go through and tweak that later. So, what I've got so far:

sourcetype="pan_threat" (severity="high" OR "critical") | timechart span=1h count by date | eval Baseline=1240 | stats first(Baseline) as Baseline

I expected this to chart the normal graph of count by date that I've been using, then append a line at the value of Baseline for each day. Instead, I get this.

Baseline

1 1240

Any thoughts on why it's not working?

0 Karma
Reply

sdaniels
Splunk Employee
Splunk Employee
‎10-02-2013 07:20 AM

Your last command is a stats command so you get that view.

Updated:

<...> | timechart count, first(BaseLine) as Baseline by date | eval BaseLine=1240
Reply

sdaniels
Splunk Employee
Splunk Employee
‎10-02-2013 08:03 AM

This works for me, i just moved the split by date after the first(BaseLine) as Baseline. If you create a line chart you should then see the two lines you are looking for.

<...> | timechart count, first(BaseLine) as Baseline by date | eval BaseLine=1240

0 Karma
Reply

tfitzgerald15
Explorer
‎10-02-2013 07:51 AM

That is a lot better. I just completely got rid of the "By Date". However, now the baseline appears broken up. Wish I could post links, I'd show you an image of what I see.

0 Karma
Reply

sdaniels
Splunk Employee
Splunk Employee
‎10-02-2013 07:45 AM

Oh yeah sorry, the by date part is messing that up. I think you can move the split 'by date' to the end. I'm on my phone right now but will check this for you later.

0 Karma
Reply

tfitzgerald15
Explorer
‎10-02-2013 07:28 AM

And then I get the following error.

Error in 'timechart' command: The argument 'first(baseline)' is invalid.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...

Monitoring AI Agents with Splunk Observability Cloud

Let’s say I’m running a travel planning AI app in production. A user asks for three concise hotel options in ...

[Puzzles] Solve, Learn, Repeat: Tiling

This puzzle (first published here) is based on finding groups of tessellated tiles (inspired by floor tiles I ...