Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to customize the x-axis on the timechart?

kkos94
Explorer
‎04-15-2019 04:01 AM

I want my timechart to display other data on the x-axis aside from the time itself.

To be more precise, I would like the chart to represent data like this:

alt text
This is probably impossible to achieve without adding a custom CSS file, but maybe I can make some transformation in my search so I can read "Third One" when I hover over the 3:14 PM mark, or "Second Event Here" when I hover on the 1:59 PM mark.

Any ideas about how achievable this is?

Thank you for your time!

Preview file
6 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

chrisyounger
SplunkTrust
SplunkTrust
‎04-15-2019 04:05 AM

Sounds like you might be trying to do chart annotations?

Here is an example of how this works:

    <panel>
      <title>Events with WARN/ERROR/INFO event annotations and color red for error, orange for warn, green for info</title>
      <chart>
        <search type="annotation">
          <query>
                  index=_internal (log_level="WARN" OR log_level="ERROR" OR log_level="INFO") | eval annotation_label = message | eval annotation_category = log_level | table _time annotation_label annotation_category
              </query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <search>
          <query>index=_internal | timechart count</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <!-- Base search that drives the visualization  -->
        <!-- Secondary search that drives the annotations -->
        <option name="charting.chart">area</option>
        <option name="charting.drilldown">none</option>
        <option name="charting.legend.placement">none</option>
        <!-- Customize the event annotation colors based on category name -->
        <option name="charting.annotation.categoryColors">{"ERROR":"0xff3300","WARN":"0xff9900","INFO":"0x36b536"}</option>
      </chart>
    </panel>

https://docs.splunk.com/Documentation/Splunk/7.2.5/Viz/ChartEventAnnotations

View solution in original post

Reply
Solved! Jump to solution
Solution

chrisyounger
SplunkTrust
SplunkTrust
‎04-15-2019 04:05 AM

Sounds like you might be trying to do chart annotations?

Here is an example of how this works:

    <panel>
      <title>Events with WARN/ERROR/INFO event annotations and color red for error, orange for warn, green for info</title>
      <chart>
        <search type="annotation">
          <query>
                  index=_internal (log_level="WARN" OR log_level="ERROR" OR log_level="INFO") | eval annotation_label = message | eval annotation_category = log_level | table _time annotation_label annotation_category
              </query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <search>
          <query>index=_internal | timechart count</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <!-- Base search that drives the visualization  -->
        <!-- Secondary search that drives the annotations -->
        <option name="charting.chart">area</option>
        <option name="charting.drilldown">none</option>
        <option name="charting.legend.placement">none</option>
        <!-- Customize the event annotation colors based on category name -->
        <option name="charting.annotation.categoryColors">{"ERROR":"0xff3300","WARN":"0xff9900","INFO":"0x36b536"}</option>
      </chart>
    </panel>

https://docs.splunk.com/Documentation/Splunk/7.2.5/Viz/ChartEventAnnotations

Reply
Solved! Jump to solution

kkos94
Explorer
‎04-15-2019 04:14 AM

That does indeed look like what I'm thinking of doing.

Thank you!

Is there a way to display these annotations under the x-axis? Kind of like a second axis overlapping the time axis?

Not sure if the way I worded it makes sense.

0 Karma
Reply
Solved! Jump to solution

chrisyounger
SplunkTrust
SplunkTrust
‎04-15-2019 01:16 PM

No I just the flags that overlay as per those screenshots.

If you really need annotations under the x-axis you would need to create a custom visualisation that can render like that.

0 Karma
Reply
Solved! Jump to solution

kkos94
Explorer
‎04-19-2019 04:44 AM

Thought so. Thanks for pointing me in the right direction!

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...