I'd like to "annotate" a graph which shows performance over time with what points the releases have been at.
I see that there was an idea that this feature would be available: http://answers.splunk.com/answers/4108/annotation-chart-over-line-chart-overlay.html
Did it ever get implemented, perhaps under another name? Is there a way to approximate this functionality?
Assume that you have a CSV file with the release information, in a format like this
timestamp,releaseId 1435104000,"10.1.1" 1432425600,"9.5.3"
Note that the time is in Linux epoch format, and is just a date (ie, a timestamp at midnight). This is to make matching easier. You could do it other ways, but that would complicate the answer... Load this file as a lookup table in Splunk (Step-by-step lookup instructions)
How assume that your current search looks like this:
yoursearchhere | timechart span=1d avg(performance_number) as perf
To add the release information, do this
yoursearchhere | timechart span=1d avg(performance_number) as perf | eval timestamp=relative_time(_time,"@d") | join type=left timestamp [ inputlookup yourlookupfile.csv | eval x=100 | chart avg(x) by timestamp releaseId ] | fields - timestamp
Use the column chart visualization, then choose a chart overlay. For the chart overlay field, chose your original field "perf". You should see a bar of height 100 for each of your releases, and a line for "perf".