Splunk Search

How to add "point-in-time" annotations to a chart?

NaraSplunk
Explorer

I'd like to "annotate" a graph which shows performance over time with what points the releases have been at.

I see that there was an idea that this feature would be available: http://answers.splunk.com/answers/4108/annotation-chart-over-line-chart-overlay.html

Did it ever get implemented, perhaps under another name? Is there a way to approximate this functionality?

Tags (2)
1 Solution

lguinn2
Legend

Assume that you have a CSV file with the release information, in a format like this

timestamp,releaseId
1435104000,"10.1.1"
1432425600,"9.5.3"

Note that the time is in Linux epoch format, and is just a date (ie, a timestamp at midnight). This is to make matching easier. You could do it other ways, but that would complicate the answer... Load this file as a lookup table in Splunk (Step-by-step lookup instructions)

How assume that your current search looks like this:

yoursearchhere
| timechart span=1d avg(performance_number) as perf

To add the release information, do this

yoursearchhere
| timechart span=1d avg(performance_number) as perf
| eval timestamp=relative_time(_time,"@d")
| join type=left timestamp [ inputlookup yourlookupfile.csv | eval x=100 | chart avg(x) by timestamp releaseId ]
| fields - timestamp

Use the column chart visualization, then choose a chart overlay. For the chart overlay field, chose your original field "perf". You should see a bar of height 100 for each of your releases, and a line for "perf".

View solution in original post

lguinn2
Legend

Assume that you have a CSV file with the release information, in a format like this

timestamp,releaseId
1435104000,"10.1.1"
1432425600,"9.5.3"

Note that the time is in Linux epoch format, and is just a date (ie, a timestamp at midnight). This is to make matching easier. You could do it other ways, but that would complicate the answer... Load this file as a lookup table in Splunk (Step-by-step lookup instructions)

How assume that your current search looks like this:

yoursearchhere
| timechart span=1d avg(performance_number) as perf

To add the release information, do this

yoursearchhere
| timechart span=1d avg(performance_number) as perf
| eval timestamp=relative_time(_time,"@d")
| join type=left timestamp [ inputlookup yourlookupfile.csv | eval x=100 | chart avg(x) by timestamp releaseId ]
| fields - timestamp

Use the column chart visualization, then choose a chart overlay. For the chart overlay field, chose your original field "perf". You should see a bar of height 100 for each of your releases, and a line for "perf".

NaraSplunk
Explorer

Messy, but it'll work.

0 Karma

lguinn2
Legend

Well, the nice thing is that you can use the same CSV file with a variety of different charts...

0 Karma
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...