Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Need assistance to create baseline in trellis in splunk dashboard

dixa0123
New Member
‎08-19-2024 11:58 PM

Hello everyone, 

dixa0123_0-1724136833838.png

 

I have created dashboard that shows total log volumes for different sources across 7 days. I am using line chart and trellis. As shown in pic, I want to add median/average value of logs as horizonal red line. Is there a way to achieve it ? Final aim is to be able to observe pattern and median/avg log volumes of certain week that ultimately helps to define baseline of log volume for each source.

below is the SPL I am using,  

| tstats count as log_count where index=myindex AND hostname="colla" AND source=* earliest=--7d@d latest=now by _time, source | timechart span=1d sum(log_count) by source

Any suggestions would be highly appreciated. Thanks

Labels (2)
Labels
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎08-20-2024 01:42 AM

Instead of using timechart, you can use stats and bin by _time, e.g.

| tstats count as log_count where index=myindex AND hostname="colla" AND source=* earliest=-7d@d latest=now by _time span=1d, source 
| stats sum(log_count) as sum_log by _time source
| eventstats avg(sum_log) as avg_sum_log by source

and then in your trellis give yourself an independent scale

bowesmana_0-1724143132587.png

You seem to need the tstats AND stats to give yourself a trellis by source option.

0 Karma
Reply

dixa0123
New Member
‎08-20-2024 04:43 PM

Great, thank you bowesmana. It is working as expected just that can't get to see value on avg. graph. I tried to turn on "show data" option with min/max option which shows value on log graph but not on avg. value graph. Do you have any suggestion to get it done? Appreciate your support. Thanks

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎08-21-2024 01:04 AM

Mmm, I think the problem is that the min/max applies to the entire dataset rather than per series, because if you don't use trellis, there is only min/max for the entire chart, not per series.

 

0 Karma
Reply

dixa0123
New Member
‎08-21-2024 05:15 PM

That's so true. turning on option " ON" for showing data looks pretty bad on graph. 

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎08-20-2024 01:43 AM

Note that if you have any days where there are no results, you will not get a datapoint for that day for that source, so it will affect the average. You can probably resolve that if that's an issue.

0 Karma
Reply
Get Updates on the Splunk Community!

SOC4Kafka - New Kafka Connector Powered by OpenTelemetry

The new SOC4Kafka connector, built on OpenTelemetry, enables the collection of Kafka messages and forwards ...

Your Voice Matters! Help Us Shape the New Splunk Lantern Experience

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Building Momentum: Splunk Developer Program at .conf25

At Splunk, developers are at the heart of innovation. That’s why this year at .conf25, we officially launched ...