Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Need assistance to create baseline in trellis in splunk dashboard

dixa0123
New Member
‎08-19-2024 11:58 PM

Hello everyone, 

dixa0123_0-1724136833838.png

 

I have created dashboard that shows total log volumes for different sources across 7 days. I am using line chart and trellis. As shown in pic, I want to add median/average value of logs as horizonal red line. Is there a way to achieve it ? Final aim is to be able to observe pattern and median/avg log volumes of certain week that ultimately helps to define baseline of log volume for each source.

below is the SPL I am using,  

| tstats count as log_count where index=myindex AND hostname="colla" AND source=* earliest=--7d@d latest=now by _time, source | timechart span=1d sum(log_count) by source

Any suggestions would be highly appreciated. Thanks

Labels (2)
Labels
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎08-20-2024 01:42 AM

Instead of using timechart, you can use stats and bin by _time, e.g.

| tstats count as log_count where index=myindex AND hostname="colla" AND source=* earliest=-7d@d latest=now by _time span=1d, source 
| stats sum(log_count) as sum_log by _time source
| eventstats avg(sum_log) as avg_sum_log by source

and then in your trellis give yourself an independent scale

bowesmana_0-1724143132587.png

You seem to need the tstats AND stats to give yourself a trellis by source option.

0 Karma
Reply

dixa0123
New Member
‎08-20-2024 04:43 PM

Great, thank you bowesmana. It is working as expected just that can't get to see value on avg. graph. I tried to turn on "show data" option with min/max option which shows value on log graph but not on avg. value graph. Do you have any suggestion to get it done? Appreciate your support. Thanks

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎08-21-2024 01:04 AM

Mmm, I think the problem is that the min/max applies to the entire dataset rather than per series, because if you don't use trellis, there is only min/max for the entire chart, not per series.

 

0 Karma
Reply

dixa0123
New Member
‎08-21-2024 05:15 PM

That's so true. turning on option " ON" for showing data looks pretty bad on graph. 

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎08-20-2024 01:43 AM

Note that if you have any days where there are no results, you will not get a datapoint for that day for that source, so it will affect the average. You can probably resolve that if that's an issue.

0 Karma
Reply
Get Updates on the Splunk Community!

CX Day is Coming!

Customer Experience (CX) Day is on October 7th!! We're so excited to bring back another day full of wonderful ...

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

The Big One: Splunk 10 is Here!  The moment many of you have been waiting for has arrived! We are thrilled to ...

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console

Today, we’re excited to announce the release of a brand new AI assistant usage dashboard in Cloud Monitoring ...