Splunk Search

How to add a horizontal threshold line overlay in column chart?

splunker12er
Motivator

I have created a savedsearch which displays the Current license usage indexer wise. ("|rest" query)

x- axis : Indexer-1 , Indexer-2, Indexer-3
Y-axis :  Amount of Gb indexed .(Eg : 10,20,30,40,50)

I have created a column chart out of this records. Now, I need to add an overlay threshold line in between this column chart.

Warning threshold : 40Gb
Critical threshold   : 45Gb

How do i add these horizontal threshold lines in my column chart ?

Please advise

Tags (3)
0 Karma
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

Append this to your search:

... | eval warning = 40 | eval critical = 45

And set those two as overlay lines in the chart formatting. Needs Splunk 6.1 for the graphical formatting editor.

Did you take a look at the existing license usage report? http://host:8000/en-US/manager/search/licenseusage
That already comes with a threshold line, computed from your license size.

View solution in original post

martin_mueller
SplunkTrust
SplunkTrust

Append this to your search:

... | eval warning = 40 | eval critical = 45

And set those two as overlay lines in the chart formatting. Needs Splunk 6.1 for the graphical formatting editor.

Did you take a look at the existing license usage report? http://host:8000/en-US/manager/search/licenseusage
That already comes with a threshold line, computed from your license size.

madrum
Explorer

Step 1 is to specify ... | eval warning = 40 | eval critical = 45
Step 2, more importantly, is to open up the Format option > select Chart Overlay, in the Overlay textbox, select "warning" or whatever you call it and that will be a horizontal line on your column chart.

0 Karma

ppablo
Retired

Hi @madrum

Just comment to add additional context to an answer in the future. Please only reserve downvoting for answers that could be potentially harmful for a user's environment. To understand how voting etiquette works in this forum and Splunk community, please review this post:
https://answers.splunk.com/answers/244111/proper-etiquette-and-timing-for-voting-here-on-ans.html

madrum
Explorer

I downvoted this post because it doesn't answer the question. this suggestion adds another column, not a horizontal bar like the poster requested.

martin_mueller
SplunkTrust
SplunkTrust

The answer does mention setting the overlay in the chart formatting editor?

0 Karma

Richfez
SplunkTrust
SplunkTrust

splunker12er,

If you found this answer reasonably useful, could you please "accept" it so that future searchers will know it's a good answer to the question?

Thanks!

0 Karma

splunker12er
Motivator

my query :

'search query' | table Indexer-1,indexer-2,Indexer-3

tabulated the results and using coulmn chart view

0 Karma
Get Updates on the Splunk Community!

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Hey, Splunk Community! Ready to take your data management skills to the next level? Join us for a 3-part ...

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

In today's digital financial ecosystem, security teams face an unprecedented challenge. The sheer volume of ...

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability As businesses scale ...