Splunk Search

How to add a horizontal threshold line overlay in column chart?

splunker12er
Motivator

I have created a savedsearch which displays the Current license usage indexer wise. ("|rest" query)

x- axis : Indexer-1 , Indexer-2, Indexer-3
Y-axis :  Amount of Gb indexed .(Eg : 10,20,30,40,50)

I have created a column chart out of this records. Now, I need to add an overlay threshold line in between this column chart.

Warning threshold : 40Gb
Critical threshold   : 45Gb

How do i add these horizontal threshold lines in my column chart ?

Please advise

Tags (3)
0 Karma
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

Append this to your search:

... | eval warning = 40 | eval critical = 45

And set those two as overlay lines in the chart formatting. Needs Splunk 6.1 for the graphical formatting editor.

Did you take a look at the existing license usage report? http://host:8000/en-US/manager/search/licenseusage
That already comes with a threshold line, computed from your license size.

View solution in original post

martin_mueller
SplunkTrust
SplunkTrust

Append this to your search:

... | eval warning = 40 | eval critical = 45

And set those two as overlay lines in the chart formatting. Needs Splunk 6.1 for the graphical formatting editor.

Did you take a look at the existing license usage report? http://host:8000/en-US/manager/search/licenseusage
That already comes with a threshold line, computed from your license size.

madrum
Explorer

Step 1 is to specify ... | eval warning = 40 | eval critical = 45
Step 2, more importantly, is to open up the Format option > select Chart Overlay, in the Overlay textbox, select "warning" or whatever you call it and that will be a horizontal line on your column chart.

0 Karma

ppablo
Retired

Hi @madrum

Just comment to add additional context to an answer in the future. Please only reserve downvoting for answers that could be potentially harmful for a user's environment. To understand how voting etiquette works in this forum and Splunk community, please review this post:
https://answers.splunk.com/answers/244111/proper-etiquette-and-timing-for-voting-here-on-ans.html

madrum
Explorer

I downvoted this post because it doesn't answer the question. this suggestion adds another column, not a horizontal bar like the poster requested.

martin_mueller
SplunkTrust
SplunkTrust

The answer does mention setting the overlay in the chart formatting editor?

0 Karma

Richfez
SplunkTrust
SplunkTrust

splunker12er,

If you found this answer reasonably useful, could you please "accept" it so that future searchers will know it's a good answer to the question?

Thanks!

0 Karma

splunker12er
Motivator

my query :

'search query' | table Indexer-1,indexer-2,Indexer-3

tabulated the results and using coulmn chart view

0 Karma
Get Updates on the Splunk Community!

Cisco Use Cases, ITSI Best Practices, and More New Articles from Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Build Your First SPL2 App!

Watch the recording now!.Do you want to SPL™, too? SPL2, Splunk's next-generation data search and preparation ...

Exporting Splunk Apps

Join us on Monday, October 21 at 11 am PT | 2 pm ET!With the app export functionality, app developers and ...