I want to show TP99 in a column chart, and add a line to show SLA.
Here is the chart I want:
But the following is the chart I got after using an overlay in the column chart. SLA is displayed as a point, not a line.
You will not get a line because you have only 1 point. You need to have a minimum of two records for a line.
For your situation, you can append an empty line with all the fileds as empty and SLA=2500.
|appendpipe [eval field1=""|eval filed2=0|eval SLA=2500]
This will create a line for you. That line won't be accurate though.
All you need to do is set a threshhold value after yours stats.
... | stats .... | eval threshhold=2500
You can also specify that value as an overlay in the advanced configuration.
A search on here for threshhold will return many more examples. You can also check here : http://wiki.splunk.com/Community:Search_Report:_How_To_Add_a_Threshold
Thanks, esix.
But threshold is still shows as a point when there is only one column.
WHat's your current search?
This is by design. The SLA series that is the basis for the line has only one data point, which is why there is no line. The dot you see would be connected to the next data point of the series (if there was one) via a line, that's how your line graph is built. Such a line (and the dot) consist of svg path
elements.
Unfortunately, I don't know of a way to change this behavior. The chart is made as an svg element, which makes changing it from .js or .css harder - the general procedure would involve finding out which path
element you need to modify, determining the desired length of your line, and transposing the item accordingly.
You might also consider a more hacky solution such as this: assuming your initial chart is based on this search, run over the last minute:
... | timechart span=1m latest(value) AS "SLA" avg(value_used) AS "TP99"
a change to this:
... | timechart span=1s latest(value) AS "SLA" avg(value_used) AS "TP99"
will yield more data points, and thus the result will look slightly more like a line. If your chart is not made with a timechart, you can achieve the same with a change from something like
... | chart latest(value) AS "SLA" avg(value_used) AS "TP99" by component
to something like
... | chart latest(value) AS "SLA" avg(value_used) AS "TP99" by component | eval expand="1,2,3,4,5,6,7" | makemv delim="," expand | mvexpand expand | fields - expand
This is probably not optimal, but could already do the trick.
PS: Or, as diogofgm suggested, you could go with a different visualization altogether.
Thanks for your help!
I want to show TP99 of every messages in column chart. There could be one or more messages.
And for each message, i also want to draw a line to show the expected performance(SLA). There are 2 lines if there are 2 columns.
My search:
|tstats p99(ResponseTime) as TP99 from datamodel=** by Message | lookup message_sla_lookup messagename as Message OUTPUT sla as SLA | where TP99 > SLA| fields Message, TP99, SLA|
Expected chart:
You only get the point because the bar graph on has one value. if you'll get only one value at all times why not use a gauge instead? you can set the limits on the gauge multiple levels.