Solved: Get a Chart rendering as when using predict comman...

guilmxm · ‎03-07-2014

Hi,

Does anyone knows how i could get a chart in simple xml to render as the same it automatically does when using the predit command ?

To illustrate, when using the predict command (whenever you are in inline search or a dashboard you saved), a nice chart is being generated with transparency between lower and upper data:

I have other data i want to chart the same way, let's i have 4 series:

the main serie, as for example cpu consummation
3 series that will represent min, avg and max of previous periods: lower, middle and upper

Currently, the result i have is as expected:

So my goal is to get the same chart result than predict command automatically generates, but the simple xml code have no differences between the one that generates the transparency between ranges and the one that does not...

Thank you very much for your help !

martin_mueller · ‎03-07-2014

You can hack your way into this visualization by producing the same output as the predict command, Splunk will automagically adapt. Take a look at this:

index=_internal | timechart count | eval mylower = 1000 | eval mypredicted = 2000 | eval myupper = 3000 | eval _lower = "mylower" | eval _upper = "myupper" | eval _predicted = "mypredicted"

By setting the _lower etc. field names, the underlying visualization assumes this is a predict output and paints it as such. Note, this may not be stable in future versions as this internal interface between the command and the visualization certainly can be subject to change.

View solution in original post

martin_mueller · ‎03-07-2014

You can hack your way into this visualization by producing the same output as the predict command, Splunk will automagically adapt. Take a look at this:

index=_internal | timechart count | eval mylower = 1000 | eval mypredicted = 2000 | eval myupper = 3000 | eval _lower = "mylower" | eval _upper = "myupper" | eval _predicted = "mypredicted"

By setting the _lower etc. field names, the underlying visualization assumes this is a predict output and paints it as such. Note, this may not be stable in future versions as this internal interface between the command and the visualization certainly can be subject to change.

martin_mueller · ‎04-29-2014

What option are you talking about precisely? The X-Axis seems fine to me using the approach described here.

0range · ‎04-29-2014

Why does the x-axis become unreadable with this option?

guilmxm · ‎03-07-2014

Yes off course thanks, still the essential part of this nice answer concerns the requirement of naming fields (with _lower, _predicted, _upper) as predict does to get Splunk to render the chart as wanted

alacercogitatus · ‎03-07-2014

Nice answer! But to use your actual data with timespans, do this:
timechart span=1m avg(cpu) as predicted max(cpu) as upper min(cpu) as lower | eval _lower = "lower" | eval _predicted = "predicted" | eval _upper = "upper"

guilmxm · ‎03-07-2014

Hi ! Thanks you very very much, so fast so effective 🙂

Works like a charm, i was getting crazy looking for the way Splunk was generating this automatically

Get a Chart rendering as when using predict command - upper, middle and lower with transparency

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms