Splunk Search

Get a Chart rendering as when using predict command - upper, middle and lower with transparency

SplunkTrust
SplunkTrust

Hi,

Does anyone knows how i could get a chart in simple xml to render as the same it automatically does when using the predit command ?

To illustrate, when using the predict command (whenever you are in inline search or a dashboard you saved), a nice chart is being generated with transparency between lower and upper data:

alt text

I have other data i want to chart the same way, let's i have 4 series:

  • the main serie, as for example cpu consummation
  • 3 series that will represent min, avg and max of previous periods: lower, middle and upper

Currently, the result i have is as expected:

alt text

So my goal is to get the same chart result than predict command automatically generates, but the simple xml code have no differences between the one that generates the transparency between ranges and the one that does not...

Thank you very much for your help !

Tags (2)
1 Solution

SplunkTrust
SplunkTrust

You can hack your way into this visualization by producing the same output as the predict command, Splunk will automagically adapt. Take a look at this:

index=_internal | timechart count | eval mylower = 1000 | eval mypredicted = 2000 | eval myupper = 3000 | eval _lower = "mylower" | eval _upper = "myupper" | eval _predicted = "mypredicted"

By setting the _lower etc. field names, the underlying visualization assumes this is a predict output and paints it as such. Note, this may not be stable in future versions as this internal interface between the command and the visualization certainly can be subject to change.

View solution in original post

SplunkTrust
SplunkTrust

You can hack your way into this visualization by producing the same output as the predict command, Splunk will automagically adapt. Take a look at this:

index=_internal | timechart count | eval mylower = 1000 | eval mypredicted = 2000 | eval myupper = 3000 | eval _lower = "mylower" | eval _upper = "myupper" | eval _predicted = "mypredicted"

By setting the _lower etc. field names, the underlying visualization assumes this is a predict output and paints it as such. Note, this may not be stable in future versions as this internal interface between the command and the visualization certainly can be subject to change.

View solution in original post

SplunkTrust
SplunkTrust

What option are you talking about precisely? The X-Axis seems fine to me using the approach described here.

alt text

0 Karma

Communicator

Why does the x-axis become unreadable with this option?

0 Karma

SplunkTrust
SplunkTrust

Yes off course thanks, still the essential part of this nice answer concerns the requirement of naming fields (with _lower, _predicted, _upper) as predict does to get Splunk to render the chart as wanted

0 Karma

SplunkTrust
SplunkTrust

Nice answer! But to use your actual data with timespans, do this:
timechart span=1m avg(cpu) as predicted max(cpu) as upper min(cpu) as lower | eval _lower = "lower" | eval _predicted = "predicted" | eval _upper = "upper"

SplunkTrust
SplunkTrust

Hi ! Thanks you very very much, so fast so effective 🙂

Works like a charm, i was getting crazy looking for the way Splunk was generating this automatically

0 Karma