Splunk Search

Is there a way to auto adjust the Y-value to just show the significant part of the chart?

daniel333
Builder

All,

Often times I just want to see the delta, not the sum of a timechart. Any ideas on if there is a way have Splunk automatically zero in on the areas of interest for the Y axis?

Example -
alt text

Tags (2)
0 Karma

niketn
Legend

@daniel333 There could be several ways of highlighting interesting data points on y-axis.

1) Chart Overlay with static threshold: Perhaps the easiest would be to come up with static threshold like in your case pipe the following after your final timechart command | eval Threshold=150000. Then Format the Chart using UI and Select Chart Overlay option. Choose the Overlay field as Threshold

Check out Splunk's Daily License Usage graph for an example on this.

2) Chart Overlay with Statistical outliers: Calculate the statistical outlier like upper and lower Standard Deviation for entire data being plotted. Then create Overlay field/s for your chart so that the area of your series which fall above or below the series will depict outliers. You might need to use eventstats, streamstats or other means to calculate overall statistical outlier, then plot the actual data in the chart.

3) Predict command: You can pipe predict command to your timechart to get a predicted series overlaid on top of your actual series
| predict count future_timespan=0

4) Machine Learning Toolkit : Splunk's Machine Learning Toolkit app is a collection of numerous industry scenarios for outlier, anomaly detection and prediction through several standard algorithms. It also come with many visualizations to plot outliers to gain attention. Do check out the app which comes with examples : https://splunkbase.splunk.com/app/2890/#/overview and documentation https://docs.splunk.com/Documentation/MLApp/latest/User/Customvisualizations

alt text
Couple of visualizations from Machine Learning Toolkit:
alt text

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

adonio
Ultra Champion

can you share the search for this panel?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...