Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Constant Horizontal Line On Line Chart

sajbutler
Path Finder
‎08-26-2010 12:36 PM

I'm putting together a line chart measuring application response time in milliseconds. What I would like to is put a horizontal line on the chart which is a constant value. This represents an SLA. This will allow us to determine whether the SLA has been exceeded/breached. Any thoughts on how to do this

Tags (1)
Reply

splunkmaesi
New Member
‎12-17-2016 01:57 AM

I managed to fill the gaps with the make continuous and fullnull commands

... | eval SLA=5 | timechart avg(responsetime) as responsetime, first(SLA) as SLA | table _time, responsetime, sla | makecontinuous _time span=10m | fillnull value=5 SLA
,I managed to fill the gaps with the make continuous and fullnull commands

| eval SLA=5 | timechart avg(responsetime) as responsetime, first(SLA) as SLA
| table _time, responsetime, sla | makecontinuous _time span=10m | fillnull value=5 SLA

0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎08-26-2010 01:19 PM

You can simply add a series to the chart:

... | eval SLA=5 | timechart avg(responsetime) as responsetime, first(SLA) as SLA
Reply

kyleharrison
Path Finder
‎01-22-2015 11:14 AM

I know this is a really old post- but couldn't find a similar question.

The "| eval SLA=5 " works fine, but how could you do it if you wanted the value "5" to come from a search? eg:

splunk_server=splunk*unix* index=_internal sourcetype="splunkd" component="LicenseUsage" pool="EFX Prod" NOT type=RolloverSummary | eval Gb=b/1024/1024/1024| timechart span=1h sum(Gb) as total | streamstats sum(total) AS cumulative_total | predict cumulative_total | appendcols [| rest /services/licenser/pools | where like(title,"%EFX Prod%") | eval quota=quota/1024/1024/1024| fields quota] | eval quota2=quota| eval quota=150

Here I'm trying to add a horizontal line for the quota, ie the result from:
| rest /services/licenser/pools | where like(title,"%EFX Prod%") | eval quota=quota/1024/1024/1024| fields quota

"quota" works fine
"quota2" just displays as a single point

0 Karma
Reply

kyleharrison
Path Finder
‎01-22-2015 11:36 AM

figured it out:

splunk_server=splunk*unix* index=_internal sourcetype="splunkd" component="LicenseUsage" pool="EFX Prod" NOT type=RolloverSummary | eval Gb=b/1024/1024/1024| timechart span=1h sum(Gb) as total | streamstats sum(total) AS cumulative_total | predict cumulative_total | eval quota = [| rest /services/licenser/pools | where like(title,"%EFX Prod%") | eval quota=quota/1024/1024/1024| fields quota | head 1 | return $quota]

0 Karma
Reply

AlexMcDuffMille
Communicator
‎10-14-2013 07:29 AM

Having the eval command afterwards allows the search to be accelerated.

0 Karma
Reply

Stephen_Sorkin
Splunk Employee
Splunk Employee
‎08-26-2010 02:58 PM

I'd usually add the series after the fact:

... | timechart avg(responsetime) as responsetime | eval SLA = 5

Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...