- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to add "point-in-time" annotations to a chart?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'd like to "annotate" a graph which shows performance over time with what points the releases have been at.
I see that there was an idea that this feature would be available: http://answers.splunk.com/answers/4108/annotation-chart-over-line-chart-overlay.html
Did it ever get implemented, perhaps under another name? Is there a way to approximate this functionality?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Assume that you have a CSV file with the release information, in a format like this
timestamp,releaseId
1435104000,"10.1.1"
1432425600,"9.5.3"
Note that the time is in Linux epoch format, and is just a date (ie, a timestamp at midnight). This is to make matching easier. You could do it other ways, but that would complicate the answer... Load this file as a lookup table in Splunk (Step-by-step lookup instructions)
How assume that your current search looks like this:
yoursearchhere
| timechart span=1d avg(performance_number) as perf
To add the release information, do this
yoursearchhere
| timechart span=1d avg(performance_number) as perf
| eval timestamp=relative_time(_time,"@d")
| join type=left timestamp [ inputlookup yourlookupfile.csv | eval x=100 | chart avg(x) by timestamp releaseId ]
| fields - timestamp
Use the column chart visualization, then choose a chart overlay. For the chart overlay field, chose your original field "perf". You should see a bar of height 100 for each of your releases, and a line for "perf".
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Assume that you have a CSV file with the release information, in a format like this
timestamp,releaseId
1435104000,"10.1.1"
1432425600,"9.5.3"
Note that the time is in Linux epoch format, and is just a date (ie, a timestamp at midnight). This is to make matching easier. You could do it other ways, but that would complicate the answer... Load this file as a lookup table in Splunk (Step-by-step lookup instructions)
How assume that your current search looks like this:
yoursearchhere
| timechart span=1d avg(performance_number) as perf
To add the release information, do this
yoursearchhere
| timechart span=1d avg(performance_number) as perf
| eval timestamp=relative_time(_time,"@d")
| join type=left timestamp [ inputlookup yourlookupfile.csv | eval x=100 | chart avg(x) by timestamp releaseId ]
| fields - timestamp
Use the column chart visualization, then choose a chart overlay. For the chart overlay field, chose your original field "perf". You should see a bar of height 100 for each of your releases, and a line for "perf".
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Messy, but it'll work.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Well, the nice thing is that you can use the same CSV file with a variety of different charts...
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
