Splunk Search

How to add "point-in-time" annotations to a chart?

NaraSplunk
Explorer

I'd like to "annotate" a graph which shows performance over time with what points the releases have been at.

I see that there was an idea that this feature would be available: http://answers.splunk.com/answers/4108/annotation-chart-over-line-chart-overlay.html

Did it ever get implemented, perhaps under another name? Is there a way to approximate this functionality?

Tags (2)
1 Solution

lguinn2
Legend

Assume that you have a CSV file with the release information, in a format like this

timestamp,releaseId
1435104000,"10.1.1"
1432425600,"9.5.3"

Note that the time is in Linux epoch format, and is just a date (ie, a timestamp at midnight). This is to make matching easier. You could do it other ways, but that would complicate the answer... Load this file as a lookup table in Splunk (Step-by-step lookup instructions)

How assume that your current search looks like this:

yoursearchhere
| timechart span=1d avg(performance_number) as perf

To add the release information, do this

yoursearchhere
| timechart span=1d avg(performance_number) as perf
| eval timestamp=relative_time(_time,"@d")
| join type=left timestamp [ inputlookup yourlookupfile.csv | eval x=100 | chart avg(x) by timestamp releaseId ]
| fields - timestamp

Use the column chart visualization, then choose a chart overlay. For the chart overlay field, chose your original field "perf". You should see a bar of height 100 for each of your releases, and a line for "perf".

View solution in original post

lguinn2
Legend

Assume that you have a CSV file with the release information, in a format like this

timestamp,releaseId
1435104000,"10.1.1"
1432425600,"9.5.3"

Note that the time is in Linux epoch format, and is just a date (ie, a timestamp at midnight). This is to make matching easier. You could do it other ways, but that would complicate the answer... Load this file as a lookup table in Splunk (Step-by-step lookup instructions)

How assume that your current search looks like this:

yoursearchhere
| timechart span=1d avg(performance_number) as perf

To add the release information, do this

yoursearchhere
| timechart span=1d avg(performance_number) as perf
| eval timestamp=relative_time(_time,"@d")
| join type=left timestamp [ inputlookup yourlookupfile.csv | eval x=100 | chart avg(x) by timestamp releaseId ]
| fields - timestamp

Use the column chart visualization, then choose a chart overlay. For the chart overlay field, chose your original field "perf". You should see a bar of height 100 for each of your releases, and a line for "perf".

NaraSplunk
Explorer

Messy, but it'll work.

0 Karma

lguinn2
Legend

Well, the nice thing is that you can use the same CSV file with a variety of different charts...

0 Karma
Get Updates on the Splunk Community!

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...

Splunkbase | Splunk Dashboard Examples App for SimpleXML End of Life

The Splunk Dashboard Examples App for SimpleXML will reach end of support on Dec 19, 2024, after which no new ...

Understanding Generative AI Techniques and Their Application in Cybersecurity

Watch On-Demand Artificial intelligence is the talk of the town nowadays, with industries of all kinds ...