Splunk Enterprise

Event annotation for the min and max value of a field

nikitha15
Explorer

Hey everyone. I have never tried creating event annotation before so i am not able to grasp it properly. 

I want to show a line for both min and max values of a date field. For ex.

Dates.                                     Target

6/09/2020.                                X

6/10/2020.                                X

         .                                                .

         .                                                .

6/23/2020.                                 X

So the min and max values i.e 6/09/2020 and 6/23/2020 of dates field should be shown as lines (event annotation) .

For now the dates in between shouldn't display but later i should be able to add data for any dates and it should show as line or area chart.

And the event annotation should display target x and the date when we hover on that.

All the examples i have seen of annotations are using timecharts . I want something like the mock image below.

IMG_20200618_171852__01.jpg

Any help would be great.Thanks.

Labels (1)
Tags (1)
0 Karma

thellmann
Splunk Employee
Splunk Employee

Hi @nikitha15 - just ran into the exact same problem. Let me show you what I did just for max using a search that anyone can run on their own Splunk Enterprise or Splunk Cloud deployment. 

Main search is like so: 

index = _internal sourcetype IN (splunk_web_access, splunkd_access) 
| timechart span=h count by sourcetype

Annotation search is like so: 

index = _internal sourcetype IN (splunk_web_access, splunkd_access) 
| timechart span=h count by sourcetype
| eval total = splunk_web_access + splunkd_access
| stats max(total)
| rename max(total) as Max
| map search="search index = _internal sourcetype IN (splunk_web_access, splunkd_access) | timechart span=h count by sourcetype | eval total = splunk_web_access + splunkd_access | search total=$Max$"
| eval annotation_label = "Max interactions occurred at " + strftime(_time, "%H:%M:%S") + " - total of " + total + " interactions."
| fields _time, annotation_label, total

I used  map to pull out just the timespan associated with the max number of events - someone better at SPL could probably find a better approach. Note that in SimpleXML dashboards you have to use $$ around the map replacement token instead of $ in the search bar. 

To show the whole dashboard: 

<dashboard>
<label>Test for nikitha15</label>
<row>
<panel>
<chart>
<search>
<query>
index = _internal sourcetype IN (splunk_web_access, splunkd_access)
| timechart count by sourcetype span=h
</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<search type="annotation">
<query>
index = _internal sourcetype IN (splunk_web_access, splunkd_access)
| timechart span=h count by sourcetype
| eval total = splunk_web_access + splunkd_access
| stats max(total)
| rename max(total) as Max
| map search="search index = _internal sourcetype IN (splunk_web_access, splunkd_access) | timechart span=h count by sourcetype | eval total = splunk_web_access + splunkd_access | search total=$$Max$$"
| eval annotation_label = "Max interactions occurred at " + strftime(_time, "%H:%M:%S") + " - total of " + total + " interactions."
| fields _time, annotation_label, total
</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
</chart>
</panel>
</row>
</dashboard> 

 Let me know if that's not quite answering your question. 

Get Updates on the Splunk Community!

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...

New Dates, New City: Save the Date for .conf25!

Wake up, babe! New .conf25 dates AND location just dropped!! That's right, this year, .conf25 is taking place ...

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...