Dashboards & Visualizations

Need assistance to create baseline in trellis in splunk dashboard

dixa0123
New Member

Hello everyone, 

dixa0123_0-1724136833838.png

 

I have created dashboard that shows total log volumes for different sources across 7 days. I am using line chart and trellis. As shown in pic, I want to add median/average value of logs as horizonal red line. Is there a way to achieve it ? Final aim is to be able to observe pattern and median/avg log volumes of certain week that ultimately helps to define baseline of log volume for each source.

below is the SPL I am using,  

| tstats count as log_count where index=myindex AND hostname="colla" AND source=* earliest=--7d@d latest=now by _time, source | timechart span=1d sum(log_count) by source

Any suggestions would be highly appreciated. Thanks

Labels (2)
0 Karma

bowesmana
SplunkTrust
SplunkTrust

Instead of using timechart, you can use stats and bin by _time, e.g.

| tstats count as log_count where index=myindex AND hostname="colla" AND source=* earliest=-7d@d latest=now by _time span=1d, source 
| stats sum(log_count) as sum_log by _time source
| eventstats avg(sum_log) as avg_sum_log by source

and then in your trellis give yourself an independent scale

bowesmana_0-1724143132587.png

You seem to need the tstats AND stats to give yourself a trellis by source option.

0 Karma

dixa0123
New Member

Great, thank you bowesmana. It is working as expected just that can't get to see value on avg. graph. I tried to turn on "show data" option with min/max option which shows value on log graph but not on avg. value graph. Do you have any suggestion to get it done? Appreciate your support. Thanks

0 Karma

bowesmana
SplunkTrust
SplunkTrust

Mmm, I think the problem is that the min/max applies to the entire dataset rather than per series, because if you don't use trellis, there is only min/max for the entire chart, not per series.

 

0 Karma

dixa0123
New Member

That's so true. turning on option " ON" for showing data looks pretty bad on graph. 

0 Karma

bowesmana
SplunkTrust
SplunkTrust

Note that if you have any days where there are no results, you will not get a datapoint for that day for that source, so it will affect the average. You can probably resolve that if that's an issue.

0 Karma
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

A few months ago, we released Splunk Enterprise Security 8.0 for our cloud customers. Today, we are excited to ...

Logs to Metrics

Logs and Metrics Logs are generally unstructured text or structured events emitted by applications and written ...

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...