Re: How to add an SLA line overlay in a column cha...

amylala · ‎08-12-2015

I want to show TP99 in a column chart, and add a line to show SLA.

Here is the chart I want:

But the following is the chart I got after using an overlay in the column chart. SLA is displayed as a point, not a line.

mahreddy · ‎01-18-2019

You will not get a line because you have only 1 point. You need to have a minimum of two records for a line.
For your situation, you can append an empty line with all the fileds as empty and SLA=2500.

|appendpipe [eval field1=""|eval filed2=0|eval SLA=2500]

This will create a line for you. That line won't be accurate though.

esix_splunk · ‎08-15-2015

All you need to do is set a threshhold value after yours stats.

... | stats .... | eval threshhold=2500

You can also specify that value as an overlay in the advanced configuration.

A search on here for threshhold will return many more examples. You can also check here : http://wiki.splunk.com/Community:Search_Report:_How_To_Add_a_Threshold

amylala · ‎08-17-2015

Thanks, esix.
But threshold is still shows as a point when there is only one column.

somesoni2 · ‎08-12-2015

WHat's your current search?

jeffland · ‎08-12-2015

This is by design. The SLA series that is the basis for the line has only one data point, which is why there is no line. The dot you see would be connected to the next data point of the series (if there was one) via a line, that's how your line graph is built. Such a line (and the dot) consist of svg path elements.

Unfortunately, I don't know of a way to change this behavior. The chart is made as an svg element, which makes changing it from .js or .css harder - the general procedure would involve finding out which path element you need to modify, determining the desired length of your line, and transposing the item accordingly.

You might also consider a more hacky solution such as this: assuming your initial chart is based on this search, run over the last minute:

... | timechart span=1m latest(value) AS "SLA" avg(value_used) AS "TP99"

a change to this:

... | timechart span=1s latest(value) AS "SLA" avg(value_used) AS "TP99"

will yield more data points, and thus the result will look slightly more like a line. If your chart is not made with a timechart, you can achieve the same with a change from something like

... | chart latest(value) AS "SLA" avg(value_used) AS "TP99" by component

to something like

... | chart latest(value) AS "SLA" avg(value_used) AS "TP99" by component | eval expand="1,2,3,4,5,6,7" | makemv delim="," expand | mvexpand expand | fields - expand

This is probably not optimal, but could already do the trick.
PS: Or, as diogofgm suggested, you could go with a different visualization altogether.

amylala · ‎08-13-2015

Thanks for your help!

I want to show TP99 of every messages in column chart. There could be one or more messages.
And for each message, i also want to draw a line to show the expected performance(SLA). There are 2 lines if there are 2 columns.

Expected chart:

diogofgm · ‎08-12-2015

You only get the point because the bar graph on has one value. if you'll get only one value at all times why not use a gauge instead? you can set the limits on the gauge multiple levels.

------------
Hope I was able to help you. If so, some karma would be appreciated.

How to add an SLA line overlay in a column chart?

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM