Splunk Search

How to edit my timechart search to create a vertical line?

Communicator

Hi guys,

I need to create a vertical line in a time chart.
I thought that I could use the following search to draw the vertical line:

index=myindex ALARM="ALARM" [| gentimes start=-1 | eval earliest = relative_time(1487771030,"-15m") | eval latest = relative_time(1487771030,"+5m") | return earliest, latest]  | timechart count  | eval test=if(_time==1487771030,100,10) 

that produces the following chart:
alt text

I was expecting to see a vertical line at 1487771030

Of course, in the final search, the last part should be like this

| eval test=if(_time==1487771030,MAX,0) 

Obviously this is not working.
The next question is "How can I calculate the MAX"
In this solution (if I will able to reach what I'm looking for) there is the following problem: The "test" line will be visible even when the _time is not equal to 1487771030

is there a better way to draw a vertical line in a time chart?

thanks

(I'm using Splunk 6.5)

0 Karma
1 Solution

SplunkTrust
SplunkTrust

Give these a try

1) Showing a spike (test) for the max value of count) and using line chart

 index=myindex ALARM="ALARM" [| gentimes start=-1 | eval earliest = relative_time(1487771030,"-15m") | eval latest = relative_time(1487771030,"+5m") | return earliest, latest]  | timechart count  | eventstats max(count) as test | eval test=if(count=test, test,null) 

2) Same search as above, but use chart overlay , and use column chart visualization with count as overlay field (for line chart).

View solution in original post

Communicator

I noticed if I use this query :

index=myindex ALARM="ALARM" [| gentimes start=-1 | eval earliest = relative_time(1487770130,"-15m") | eval latest = relative_time(1487770130,"+1m") | return earliest, latest] | timechart count  | eventstats max(count) as Fault | eval Fault=if(_time=1487770130, Fault,null)

alt text

I saw what I want (the yellow point at 1487770130), but if I change, for example, the latest time
from

eval latest =relative_time(1487770130,"+1m")

to

eval latest =relative_time(1487770130,"+5m")

The yellow point disappear. Does anyone knows why?

0 Karma

Motivator

To follow on to Somesoni2's solution, put the chart in a dashboard then edit the XML to include the below. This way the column isn't as wide and it looks more like a vertical line

<option name="charting.chart.columnSpacing">100</option>
0 Karma

Communicator

Thanks for your comment. Do you also have an Idea to how solve my problem?

0 Karma

Motivator

Somesoni2's query should meet your needs

0 Karma

Communicator

As I wrote in the comments, it isn't.

0 Karma

Motivator

If Somesoni2 can't help then I doubt anyone else will be able to.

0 Karma

SplunkTrust
SplunkTrust

Give these a try

1) Showing a spike (test) for the max value of count) and using line chart

 index=myindex ALARM="ALARM" [| gentimes start=-1 | eval earliest = relative_time(1487771030,"-15m") | eval latest = relative_time(1487771030,"+5m") | return earliest, latest]  | timechart count  | eventstats max(count) as test | eval test=if(count=test, test,null) 

2) Same search as above, but use chart overlay , and use column chart visualization with count as overlay field (for line chart).

View solution in original post

Communicator

Thank you for you answer but I think that I don't explained myself well because this is not exactly what I'm looking for.

What I'm trying is to create a VerticalLine, or a point, or a Mark at a specific TimeStamp of the chart.

In this case I want a Vertical Line ( if it is not possible a visible point/mark on the graph should be ok) at ** 1487771030** (the time interval of my query is from 1487771030 -15minutes, 1487771030+5minutes)

I talk about Max because to draw the Vertical Line should be at 1487771030 (X-axes) with MAX count (in y-axes)
In your solution I saw a point corresponding at the MAX Count value.

check the follow image:
alt text

Thanks

0 Karma

SplunkTrust
SplunkTrust

Give this a try then

index=myindex ALARM="ALARM" [| gentimes start=-1 | eval earliest = relative_time(1487771030,"-15m") | eval latest = relative_time(1487771030,"+5m") | return earliest, latest]  | timechart count  
| appendpipe [| stats max(count) as test | eval _time=1487771030]
| sort _time
0 Karma

Communicator

This is what I want but there is a problem, a line is missing, check the picture.

alt text

If I remove "| appendpipe ..." the graph is drawn right but, of course, there isn't the test point.

0 Karma

SplunkTrust
SplunkTrust

I guess the problem is that your timestamp 1487771030 is not matching any of the _time value after timechart (span is not specified or even if specified, may not match 1487771030 ). In the Chart Format options, In General section, select 'Null Values' as 'Connect'.

0 Karma

Communicator

You are awesome!!!!!!!!!
It worked!!!!
Thanks

0 Karma

Motivator

Make the overlay a column chart

0 Karma

Communicator

It was already an overlay

0 Karma