Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Event annotation for the min and max value of a field

nikitha15
Explorer
‎06-18-2020 04:54 AM

Hey everyone. I have never tried creating event annotation before so i am not able to grasp it properly. 

I want to show a line for both min and max values of a date field. For ex.

Dates.                                     Target

6/09/2020.                                X

6/10/2020.                                X

         .                                                .

         .                                                .

6/23/2020.                                 X

So the min and max values i.e 6/09/2020 and 6/23/2020 of dates field should be shown as lines (event annotation) .

For now the dates in between shouldn't display but later i should be able to add data for any dates and it should show as line or area chart.

And the event annotation should display target x and the date when we hover on that.

All the examples i have seen of annotations are using timecharts . I want something like the mock image below.

IMG_20200618_171852__01.jpg

Any help would be great.Thanks.

Labels (1)
Labels
Tags (1)
0 Karma
Reply

thellmann
Splunk Employee
Splunk Employee
‎10-22-2020 11:58 AM

Hi @nikitha15 - just ran into the exact same problem. Let me show you what I did just for max using a search that anyone can run on their own Splunk Enterprise or Splunk Cloud deployment. 

Main search is like so: 

index = _internal sourcetype IN (splunk_web_access, splunkd_access) 
| timechart span=h count by sourcetype

Annotation search is like so: 

index = _internal sourcetype IN (splunk_web_access, splunkd_access) 
| timechart span=h count by sourcetype
| eval total = splunk_web_access + splunkd_access
| stats max(total)
| rename max(total) as Max
| map search="search index = _internal sourcetype IN (splunk_web_access, splunkd_access) | timechart span=h count by sourcetype  | eval total = splunk_web_access + splunkd_access | search total=$Max$"
| eval annotation_label = "Max interactions occurred at " + strftime(_time, "%H:%M:%S") + " - total of " + total + " interactions." 
| fields _time, annotation_label, total

I used  map to pull out just the timespan associated with the max number of events - someone better at SPL could probably find a better approach. Note that in SimpleXML dashboards you have to use $$ around the map replacement token instead of $ in the search bar. 

To show the whole dashboard: 

<dashboard>
  <label>Test for nikitha15</label>
  <row>
    <panel>
      <chart>
        <search>
          <query>
            index = _internal sourcetype IN (splunk_web_access, splunkd_access) 
            | timechart count by sourcetype span=h
            </query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <search type="annotation"> 
          <query>
            index = _internal sourcetype IN (splunk_web_access, splunkd_access) 
            | timechart span=h count by sourcetype
            | eval total = splunk_web_access + splunkd_access
            | stats max(total)
            | rename max(total) as Max
            | map search="search index = _internal sourcetype IN (splunk_web_access, splunkd_access) | timechart span=h count by sourcetype  | eval total = splunk_web_access + splunkd_access | search total=$$Max$$"
            | eval annotation_label = "Max interactions occurred at " + strftime(_time, "%H:%M:%S") + " - total of " + total + " interactions." 
            | fields _time, annotation_label, total
          </query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
      </chart>
    </panel>
  </row>
</dashboard> 

 Let me know if that's not quite answering your question. 

Reply
Get Updates on the Splunk Community!

Index This | When is October more than just the tenth month?

October 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What’s New & Next in Splunk SOAR

 Security teams today are dealing with more alerts, more tools, and more pressure than ever.  Join us for an ...