Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Annotation of graph not working when i use the below command.

marvinlee93
Explorer
‎02-28-2019 10:27 PM

Hi all. I'm facing some issues in displaying annotations for my graphs. I suspect that something is wrong when I use 2 STREAMSTATS command. My annotation for that particular graph seems to stop working.

When I run this code, it works!

index="alarm"
| streamstats avg(alarmcount) as average stdev(alarmcount) as standev

| eval threeSigmaLimit = (average + (standev * 3))
| where alarmcount > threeSigmaLimit | eval annotation_label = index | eval annotation_color = "0xff9900"
| table _time annotation_label alarmcount
$field1.earliest$
$field1.latest$

However, when I run this code. The annotation disappears.

index="alarm"
| streamstats window=2 min(alarmcount3) as minimum
| eval is_increase=if(alarmcount3!=minimum,1,0)
| streamstats window=7 sum(is_increase) as increases
| where increases>=7
| eval increase_index = index2 - 6
| eval annotation_label = increase_index| eval annotation_color = "0xff9900"
| table _time annotation_label alarmcount3
$field1.earliest$
$field1.latest$

any idea whY??

Tags (1)
0 Karma
Reply

nikita_p
Contributor
‎02-28-2019 11:06 PM

Hi,
When you run the 2nd search do you get any output or only annotation disappears?

0 Karma
Reply

marvinlee93
Explorer
‎03-01-2019 12:48 AM

Hi, I get the output but not the annotation. I'm suspecting the 'double' streamstats command is affecting it.

alt text

0 Karma
Reply

nikita_p
Contributor
‎03-01-2019 03:11 AM

Hi,
Don't run your search completely but try running it part by part so that you can find which part of your search is going wrong.

0 Karma
Reply

marvinlee93
Explorer
‎03-03-2019 05:51 PM

Yup! I did. I realised that if I remove the '2nd' streamstats command, everything works. Hmmm... I really think that it isn't the code that has a problem here..

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...