Dashboards & Visualizations

Dashboard: Cross-chart "compare series" cursor

akuchta
Explorer

I use both Splunk and Cloudwatch dashboards on a regular basis. One feature that cloudwatch dashboards have which I really miss in Splunk is a shared time cursor across all charts on the dashboard. So that it's easy to say "What was happening in all these different metrics at time X?"

Something like the existing functionality for Charts under Format>Legend>Compare Series that would be active on multiple charts within a dashboard at the same time.

Now, I recognize that Splunk charts are more diverse and so this is probably a non-trivial feature, but it would be very helpful for my workflows. I often need to correlate phenomena from different systems or sourcetypes by time.

EDIT: To clarify, I mean that when I hover my cursor over a point on chart A which occurs at time X, I see a vertical line though the point. A tooltip shows the value of the point. Simultaneously, on other timecharts a vertical line appears at the same time (horizontal position) and a tooltip shows the value of the point on that chart at that time X.

rvdv
Explorer

Hi @akuchta,

Did you get a final solution to do this? 
We ware using Splunk 8.1.0 and using metrics.

In the analytics workspace (for metrics) I can create two graphs in which the cursor (time) goes over both graphs at the same time. 

However when I save it as a dashboard (with both graphs as a panel) this feature is gone. 
How can I get the cursor tracing over both graphs back in the dashboard? 

0 Karma

DavidHourani
Super Champion

Hi @akuchta,

You have many choices to do this, easiest is to use a shared global time picker and set all panels to use it's token as shown here :
https://docs.splunk.com/Documentation/Splunk/7.2.1/SearchTutorial/Createnewdashboard#Add_controls_to...

If you like to do it based on a global chart that you can use to zoom in and out to filter on all other view you can leverage the tokens shown here for that :
https://answers.splunk.com/answers/318142/parse-the-panzoom-selection-start-and-end-tokens-i.html

Cheers,
David

0 Karma

kmaron
Motivator

I don't know what Cloudwatch is so maybe I'm not following but you can have the same variable timeframe for all charts on a dashboard by using a universal timepicker and setting the earliest/latest on every chart with the same token.

0 Karma

akuchta
Explorer

I am already using the technique you suggested, but need something in addition to it. I want to compare points at an exact time across multiple charts, visually.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...