I want my timechart to display other data on the x-axis aside from the time itself.
To be more precise, I would like the chart to represent data like this:
This is probably impossible to achieve without adding a custom CSS file, but maybe I can make some transformation in my search so I can read "Third One" when I hover over the 3:14 PM mark, or "Second Event Here" when I hover on the 1:59 PM mark.
Any ideas about how achievable this is?
Thank you for your time!
Sounds like you might be trying to do chart annotations?
Here is an example of how this works:
<panel>
<title>Events with WARN/ERROR/INFO event annotations and color red for error, orange for warn, green for info</title>
<chart>
<search type="annotation">
<query>
index=_internal (log_level="WARN" OR log_level="ERROR" OR log_level="INFO") | eval annotation_label = message | eval annotation_category = log_level | table _time annotation_label annotation_category
</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<search>
<query>index=_internal | timechart count</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<!-- Base search that drives the visualization -->
<!-- Secondary search that drives the annotations -->
<option name="charting.chart">area</option>
<option name="charting.drilldown">none</option>
<option name="charting.legend.placement">none</option>
<!-- Customize the event annotation colors based on category name -->
<option name="charting.annotation.categoryColors">{"ERROR":"0xff3300","WARN":"0xff9900","INFO":"0x36b536"}</option>
</chart>
</panel>
https://docs.splunk.com/Documentation/Splunk/7.2.5/Viz/ChartEventAnnotations
Sounds like you might be trying to do chart annotations?
Here is an example of how this works:
<panel>
<title>Events with WARN/ERROR/INFO event annotations and color red for error, orange for warn, green for info</title>
<chart>
<search type="annotation">
<query>
index=_internal (log_level="WARN" OR log_level="ERROR" OR log_level="INFO") | eval annotation_label = message | eval annotation_category = log_level | table _time annotation_label annotation_category
</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<search>
<query>index=_internal | timechart count</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<!-- Base search that drives the visualization -->
<!-- Secondary search that drives the annotations -->
<option name="charting.chart">area</option>
<option name="charting.drilldown">none</option>
<option name="charting.legend.placement">none</option>
<!-- Customize the event annotation colors based on category name -->
<option name="charting.annotation.categoryColors">{"ERROR":"0xff3300","WARN":"0xff9900","INFO":"0x36b536"}</option>
</chart>
</panel>
https://docs.splunk.com/Documentation/Splunk/7.2.5/Viz/ChartEventAnnotations
That does indeed look like what I'm thinking of doing.
Thank you!
Is there a way to display these annotations under the x-axis? Kind of like a second axis overlapping the time axis?
Not sure if the way I worded it makes sense.
No I just the flags that overlay as per those screenshots.
If you really need annotations under the x-axis you would need to create a custom visualisation that can render like that.
Thought so. Thanks for pointing me in the right direction!