I want to draw a horizontal line across the following column time chart made out of a saved search
| timechart span=1mon avg(numDropPkt) as avgDrop BY host
Adding " |eval threashold = 100" gave me a few more column bars of value 100 (and the number of newly added columns is equal to the number of months searched), not a horizonal line.
The following link asked the same question, but the answer is very high level.
yoursearchhere | append [ sourcetype=yoursourcetype | addinfo | where _time >= info_min_time AND time <= info_max_time | eval numDropPkt = 100 | eval host="Threshold" ] | timechart span=1mon avg(numDropPkt) as avgDrop by host
BTW, the only purpose of the
sourcetype=yoursourcetype is to obtain some events to transform into the values that I want. Any sourcetype would work if it has at least one event per month over the duration that you are searching - and fewer events would be better.
Thank you very much for your willingness to help. There is still no line show in the column graph. I am not sure why the table view tab, as I'd like a graph rather than a table report. And also since I do not understand the logic behind the script, I cannot really test/twist your script to fit my data. It could be just I did not use your script correctly.
| append [ sourcetype=yoursourcetype | addinfo | where _time >= info_min_time AND time <= info_max_time
| eval numDropPkt = 100 | eval host="Threshold" ]
| timechart limit=0 cont=T fixedrange=F span=1mon avg(numDropPkt) as avgDrop by host
And look at the Table View tab.
I am trying to do a similar thing here-- simply draw a line across my graph showing a "full_capacity" line.
mysearch | eval capacity=100 | stats max(capacity) to no avail.
Also capacity=tonumber(100) is no different.
A new way to do this?
Alternatively, to clearly label the top of my chart's Y-axis? Choosing the value in the dashboard UI doesn't label the top.