Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Need assistance to show baseline in line chart if using trellis

dixa0123
New Member
‎08-19-2024 11:51 PM

Hello everyone, 

dixa0123_0-1724136452053.png

I have created dashboard that shows total log volumes for different sources across 7 days. I am using line chart and trellis. As shown in pic, I want to add median/average value of logs as horizonal red line. Is there a way to achieve it ? Final aim is to be able to observe pattern and median/avg log volumes of certain week that ultimately helps to define baseline of log volume for each source.

below is the SPL I am using,  

| tstats count as log_count where index=myindex AND hostname="colla" AND source=* earliest=--7d@d latest=now by _time, source | timechart span=1d sum(log_count) by source

Any suggestions would be highly appreciated. Thanks

0 Karma
Reply

tscroggins
Influencer
‎11-02-2024 10:24 AM

Hi @dixa0123,

SplunkWeb uses hidden field attributes to identify aggregations for trellis mode in Simple XML. (I haven't tried this in Dashboard Studio.) Here's a sample search that summarizes data, calculates a global mean, reformats the results, and then uses the global mean as an overlay in trellis mode:

index=_internal 
| timechart limit=10 span=1m usenull=f useother=f count as x by component 
| untable _time component x
``` calculate a global mean ```
| eventstats avg(x) as tmp 
``` append temporary events to hold the mean as a series ```
| appendpipe 
    [| stats values(tmp) as x by _time
    | eval component="tmp" ]
``` reformat the results for trellis ```
| xyseries _time component x
``` disassociate the tmp field from aggregations to use as an overlay ```
| eval baseline=tmp
``` remove the tmp field ```
| fields - tmp

 

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...