Splunk Search

How to add a horizontal threshold line overlay in column chart?

splunker12er
Motivator

I have created a savedsearch which displays the Current license usage indexer wise. ("|rest" query)

x- axis : Indexer-1 , Indexer-2, Indexer-3
Y-axis :  Amount of Gb indexed .(Eg : 10,20,30,40,50)

I have created a column chart out of this records. Now, I need to add an overlay threshold line in between this column chart.

Warning threshold : 40Gb
Critical threshold   : 45Gb

How do i add these horizontal threshold lines in my column chart ?

Please advise

Tags (3)
0 Karma
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

Append this to your search:

... | eval warning = 40 | eval critical = 45

And set those two as overlay lines in the chart formatting. Needs Splunk 6.1 for the graphical formatting editor.

Did you take a look at the existing license usage report? http://host:8000/en-US/manager/search/licenseusage
That already comes with a threshold line, computed from your license size.

View solution in original post

martin_mueller
SplunkTrust
SplunkTrust

Append this to your search:

... | eval warning = 40 | eval critical = 45

And set those two as overlay lines in the chart formatting. Needs Splunk 6.1 for the graphical formatting editor.

Did you take a look at the existing license usage report? http://host:8000/en-US/manager/search/licenseusage
That already comes with a threshold line, computed from your license size.

madrum
Explorer

Step 1 is to specify ... | eval warning = 40 | eval critical = 45
Step 2, more importantly, is to open up the Format option > select Chart Overlay, in the Overlay textbox, select "warning" or whatever you call it and that will be a horizontal line on your column chart.

0 Karma

ppablo
Retired

Hi @madrum

Just comment to add additional context to an answer in the future. Please only reserve downvoting for answers that could be potentially harmful for a user's environment. To understand how voting etiquette works in this forum and Splunk community, please review this post:
https://answers.splunk.com/answers/244111/proper-etiquette-and-timing-for-voting-here-on-ans.html

madrum
Explorer

I downvoted this post because it doesn't answer the question. this suggestion adds another column, not a horizontal bar like the poster requested.

martin_mueller
SplunkTrust
SplunkTrust

The answer does mention setting the overlay in the chart formatting editor?

0 Karma

Richfez
SplunkTrust
SplunkTrust

splunker12er,

If you found this answer reasonably useful, could you please "accept" it so that future searchers will know it's a good answer to the question?

Thanks!

0 Karma

splunker12er
Motivator

my query :

'search query' | table Indexer-1,indexer-2,Indexer-3

tabulated the results and using coulmn chart view

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...