Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Need assistance to create baseline in trellis in splunk dashboard

dixa0123
New Member
‎08-19-2024 11:58 PM

Hello everyone, 

dixa0123_0-1724136833838.png

 

I have created dashboard that shows total log volumes for different sources across 7 days. I am using line chart and trellis. As shown in pic, I want to add median/average value of logs as horizonal red line. Is there a way to achieve it ? Final aim is to be able to observe pattern and median/avg log volumes of certain week that ultimately helps to define baseline of log volume for each source.

below is the SPL I am using,  

| tstats count as log_count where index=myindex AND hostname="colla" AND source=* earliest=--7d@d latest=now by _time, source | timechart span=1d sum(log_count) by source

Any suggestions would be highly appreciated. Thanks

Labels (2)
Labels
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎08-20-2024 01:42 AM

Instead of using timechart, you can use stats and bin by _time, e.g.

| tstats count as log_count where index=myindex AND hostname="colla" AND source=* earliest=-7d@d latest=now by _time span=1d, source 
| stats sum(log_count) as sum_log by _time source
| eventstats avg(sum_log) as avg_sum_log by source

and then in your trellis give yourself an independent scale

bowesmana_0-1724143132587.png

You seem to need the tstats AND stats to give yourself a trellis by source option.

0 Karma
Reply

dixa0123
New Member
‎08-20-2024 04:43 PM

Great, thank you bowesmana. It is working as expected just that can't get to see value on avg. graph. I tried to turn on "show data" option with min/max option which shows value on log graph but not on avg. value graph. Do you have any suggestion to get it done? Appreciate your support. Thanks

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎08-21-2024 01:04 AM

Mmm, I think the problem is that the min/max applies to the entire dataset rather than per series, because if you don't use trellis, there is only min/max for the entire chart, not per series.

 

0 Karma
Reply

dixa0123
New Member
‎08-21-2024 05:15 PM

That's so true. turning on option " ON" for showing data looks pretty bad on graph. 

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎08-20-2024 01:43 AM

Note that if you have any days where there are no results, you will not get a datapoint for that day for that source, so it will affect the average. You can probably resolve that if that's an issue.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...