Splunk Search

## How to edit my timechart search to create a vertical line?

Communicator

Hi guys,

I need to create a vertical line in a time chart.
I thought that I could use the following search to draw the vertical line:

``````index=myindex ALARM="ALARM" [| gentimes start=-1 | eval earliest = relative_time(1487771030,"-15m") | eval latest = relative_time(1487771030,"+5m") | return earliest, latest]  | timechart count  | eval test=if(_time==1487771030,100,10)
``````

that produces the following chart:

I was expecting to see a vertical line at 1487771030

Of course, in the final search, the last part should be like this

``````| eval test=if(_time==1487771030,MAX,0)
``````

Obviously this is not working.
The next question is "How can I calculate the MAX"
In this solution (if I will able to reach what I'm looking for) there is the following problem: The "test" line will be visible even when the _time is not equal to 1487771030

is there a better way to draw a vertical line in a time chart?

thanks

(I'm using Splunk 6.5)

Tags (3)
1 Solution
SplunkTrust

Give these a try

1) Showing a spike (test) for the max value of count) and using line chart

`````` index=myindex ALARM="ALARM" [| gentimes start=-1 | eval earliest = relative_time(1487771030,"-15m") | eval latest = relative_time(1487771030,"+5m") | return earliest, latest]  | timechart count  | eventstats max(count) as test | eval test=if(count=test, test,null)
``````

2) Same search as above, but use chart overlay , and use column chart visualization with count as overlay field (for line chart).

Communicator

I noticed if I use this query :

``````index=myindex ALARM="ALARM" [| gentimes start=-1 | eval earliest = relative_time(1487770130,"-15m") | eval latest = relative_time(1487770130,"+1m") | return earliest, latest] | timechart count  | eventstats max(count) as Fault | eval Fault=if(_time=1487770130, Fault,null)
``````

I saw what I want (the yellow point at 1487770130), but if I change, for example, the latest time
from

eval latest =relative_time(1487770130,"+1m")

to

eval latest =relative_time(1487770130,"+5m")

The yellow point disappear. Does anyone knows why?

Motivator

To follow on to Somesoni2's solution, put the chart in a dashboard then edit the XML to include the below. This way the column isn't as wide and it looks more like a vertical line

``````<option name="charting.chart.columnSpacing">100</option>
``````
Communicator

Thanks for your comment. Do you also have an Idea to how solve my problem?

Motivator

Somesoni2's query should meet your needs

Communicator

As I wrote in the comments, it isn't.

Motivator

If Somesoni2 can't help then I doubt anyone else will be able to.

SplunkTrust

Give these a try

1) Showing a spike (test) for the max value of count) and using line chart

`````` index=myindex ALARM="ALARM" [| gentimes start=-1 | eval earliest = relative_time(1487771030,"-15m") | eval latest = relative_time(1487771030,"+5m") | return earliest, latest]  | timechart count  | eventstats max(count) as test | eval test=if(count=test, test,null)
``````

2) Same search as above, but use chart overlay , and use column chart visualization with count as overlay field (for line chart).

Communicator

Thank you for you answer but I think that I don't explained myself well because this is not exactly what I'm looking for.

What I'm trying is to create a VerticalLine, or a point, or a Mark at a specific TimeStamp of the chart.

In this case I want a Vertical Line ( if it is not possible a visible point/mark on the graph should be ok) at ** 1487771030** (the time interval of my query is from 1487771030 -15minutes, 1487771030+5minutes)

I talk about Max because to draw the Vertical Line should be at 1487771030 (X-axes) with MAX count (in y-axes)
In your solution I saw a point corresponding at the MAX Count value.

Thanks

SplunkTrust

Give this a try then

``````index=myindex ALARM="ALARM" [| gentimes start=-1 | eval earliest = relative_time(1487771030,"-15m") | eval latest = relative_time(1487771030,"+5m") | return earliest, latest]  | timechart count
| appendpipe [| stats max(count) as test | eval _time=1487771030]
| sort _time
``````
Communicator

This is what I want but there is a problem, a line is missing, check the picture.

If I remove "| appendpipe ..." the graph is drawn right but, of course, there isn't the test point.

SplunkTrust

I guess the problem is that your timestamp 1487771030 is not matching any of the _time value after timechart (span is not specified or even if specified, may not match 1487771030 ). In the Chart Format options, In General section, select 'Null Values' as 'Connect'.

Communicator

You are awesome!!!!!!!!!
It worked!!!!
Thanks

Motivator

Make the overlay a column chart

Communicator