Splunk Search

How to edit my timechart search to create a vertical line?

faustf
Communicator

Hi guys,

I need to create a vertical line in a time chart.
I thought that I could use the following search to draw the vertical line:

index=myindex ALARM="ALARM" [| gentimes start=-1 | eval earliest = relative_time(1487771030,"-15m") | eval latest = relative_time(1487771030,"+5m") | return earliest, latest]  | timechart count  | eval test=if(_time==1487771030,100,10) 

that produces the following chart:
alt text

I was expecting to see a vertical line at 1487771030

Of course, in the final search, the last part should be like this

| eval test=if(_time==1487771030,MAX,0) 

Obviously this is not working.
The next question is "How can I calculate the MAX"
In this solution (if I will able to reach what I'm looking for) there is the following problem: The "test" line will be visible even when the _time is not equal to 1487771030

is there a better way to draw a vertical line in a time chart?

thanks

(I'm using Splunk 6.5)

0 Karma
1 Solution

somesoni2
Revered Legend

Give these a try

1) Showing a spike (test) for the max value of count) and using line chart

 index=myindex ALARM="ALARM" [| gentimes start=-1 | eval earliest = relative_time(1487771030,"-15m") | eval latest = relative_time(1487771030,"+5m") | return earliest, latest]  | timechart count  | eventstats max(count) as test | eval test=if(count=test, test,null) 

2) Same search as above, but use chart overlay , and use column chart visualization with count as overlay field (for line chart).

View solution in original post

faustf
Communicator

I noticed if I use this query :

index=myindex ALARM="ALARM" [| gentimes start=-1 | eval earliest = relative_time(1487770130,"-15m") | eval latest = relative_time(1487770130,"+1m") | return earliest, latest] | timechart count  | eventstats max(count) as Fault | eval Fault=if(_time=1487770130, Fault,null)

alt text

I saw what I want (the yellow point at 1487770130), but if I change, for example, the latest time
from

eval latest =relative_time(1487770130,"+1m")

to

eval latest =relative_time(1487770130,"+5m")

The yellow point disappear. Does anyone knows why?

0 Karma

dbcase
Motivator

To follow on to Somesoni2's solution, put the chart in a dashboard then edit the XML to include the below. This way the column isn't as wide and it looks more like a vertical line

<option name="charting.chart.columnSpacing">100</option>
0 Karma

faustf
Communicator

Thanks for your comment. Do you also have an Idea to how solve my problem?

0 Karma

dbcase
Motivator

Somesoni2's query should meet your needs

0 Karma

faustf
Communicator

As I wrote in the comments, it isn't.

0 Karma

dbcase
Motivator

If Somesoni2 can't help then I doubt anyone else will be able to.

0 Karma

somesoni2
Revered Legend

Give these a try

1) Showing a spike (test) for the max value of count) and using line chart

 index=myindex ALARM="ALARM" [| gentimes start=-1 | eval earliest = relative_time(1487771030,"-15m") | eval latest = relative_time(1487771030,"+5m") | return earliest, latest]  | timechart count  | eventstats max(count) as test | eval test=if(count=test, test,null) 

2) Same search as above, but use chart overlay , and use column chart visualization with count as overlay field (for line chart).

faustf
Communicator

Thank you for you answer but I think that I don't explained myself well because this is not exactly what I'm looking for.

What I'm trying is to create a VerticalLine, or a point, or a Mark at a specific TimeStamp of the chart.

In this case I want a Vertical Line ( if it is not possible a visible point/mark on the graph should be ok) at ** 1487771030** (the time interval of my query is from 1487771030 -15minutes, 1487771030+5minutes)

I talk about Max because to draw the Vertical Line should be at 1487771030 (X-axes) with MAX count (in y-axes)
In your solution I saw a point corresponding at the MAX Count value.

check the follow image:
alt text

Thanks

0 Karma

somesoni2
Revered Legend

Give this a try then

index=myindex ALARM="ALARM" [| gentimes start=-1 | eval earliest = relative_time(1487771030,"-15m") | eval latest = relative_time(1487771030,"+5m") | return earliest, latest]  | timechart count  
| appendpipe [| stats max(count) as test | eval _time=1487771030]
| sort _time
0 Karma

faustf
Communicator

This is what I want but there is a problem, a line is missing, check the picture.

alt text

If I remove "| appendpipe ..." the graph is drawn right but, of course, there isn't the test point.

0 Karma

somesoni2
Revered Legend

I guess the problem is that your timestamp 1487771030 is not matching any of the _time value after timechart (span is not specified or even if specified, may not match 1487771030 ). In the Chart Format options, In General section, select 'Null Values' as 'Connect'.

0 Karma

faustf
Communicator

You are awesome!!!!!!!!!
It worked!!!!
Thanks

0 Karma

dbcase
Motivator

Make the overlay a column chart

0 Karma

faustf
Communicator

It was already an overlay

0 Karma
Get Updates on the Splunk Community!

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...

Ready, Set, SOAR: How Utility Apps Can Up Level Your Playbooks!

 WATCH NOW Powering your capabilities has never been so easy with ready-made Splunk® SOAR Utility Apps. Parse ...

DevSecOps: Why You Should Care and How To Get Started

 WATCH NOW In this Tech Talk we will talk about what people mean by DevSecOps and deep dive into the different ...