Hi guys,
I need to create a vertical line in a time chart.
I thought that I could use the following search to draw the vertical line:
index=myindex ALARM="ALARM" [| gentimes start=-1 | eval earliest = relative_time(1487771030,"-15m") | eval latest = relative_time(1487771030,"+5m") | return earliest, latest] | timechart count | eval test=if(_time==1487771030,100,10)
that produces the following chart:
I was expecting to see a vertical line at 1487771030
Of course, in the final search, the last part should be like this
| eval test=if(_time==1487771030,MAX,0)
Obviously this is not working.
The next question is "How can I calculate the MAX"
In this solution (if I will able to reach what I'm looking for) there is the following problem: The "test" line will be visible even when the _time is not equal to 1487771030
is there a better way to draw a vertical line in a time chart?
thanks
(I'm using Splunk 6.5)
Give these a try
1) Showing a spike (test) for the max value of count) and using line chart
index=myindex ALARM="ALARM" [| gentimes start=-1 | eval earliest = relative_time(1487771030,"-15m") | eval latest = relative_time(1487771030,"+5m") | return earliest, latest] | timechart count | eventstats max(count) as test | eval test=if(count=test, test,null)
2) Same search as above, but use chart overlay , and use column chart visualization with count as overlay field (for line chart).
I noticed if I use this query :
index=myindex ALARM="ALARM" [| gentimes start=-1 | eval earliest = relative_time(1487770130,"-15m") | eval latest = relative_time(1487770130,"+1m") | return earliest, latest] | timechart count | eventstats max(count) as Fault | eval Fault=if(_time=1487770130, Fault,null)
I saw what I want (the yellow point at 1487770130), but if I change, for example, the latest time
from
eval latest =relative_time(1487770130,"+1m")
to
eval latest =relative_time(1487770130,"+5m")
The yellow point disappear. Does anyone knows why?
To follow on to Somesoni2's solution, put the chart in a dashboard then edit the XML to include the below. This way the column isn't as wide and it looks more like a vertical line
<option name="charting.chart.columnSpacing">100</option>
Thanks for your comment. Do you also have an Idea to how solve my problem?
Somesoni2's query should meet your needs
As I wrote in the comments, it isn't.
If Somesoni2 can't help then I doubt anyone else will be able to.
Give these a try
1) Showing a spike (test) for the max value of count) and using line chart
index=myindex ALARM="ALARM" [| gentimes start=-1 | eval earliest = relative_time(1487771030,"-15m") | eval latest = relative_time(1487771030,"+5m") | return earliest, latest] | timechart count | eventstats max(count) as test | eval test=if(count=test, test,null)
2) Same search as above, but use chart overlay , and use column chart visualization with count as overlay field (for line chart).
Thank you for you answer but I think that I don't explained myself well because this is not exactly what I'm looking for.
What I'm trying is to create a VerticalLine, or a point, or a Mark at a specific TimeStamp of the chart.
In this case I want a Vertical Line ( if it is not possible a visible point/mark on the graph should be ok) at ** 1487771030** (the time interval of my query is from 1487771030 -15minutes, 1487771030+5minutes)
I talk about Max because to draw the Vertical Line should be at 1487771030 (X-axes) with MAX count (in y-axes)
In your solution I saw a point corresponding at the MAX Count value.
check the follow image:
Thanks
Give this a try then
index=myindex ALARM="ALARM" [| gentimes start=-1 | eval earliest = relative_time(1487771030,"-15m") | eval latest = relative_time(1487771030,"+5m") | return earliest, latest] | timechart count
| appendpipe [| stats max(count) as test | eval _time=1487771030]
| sort _time
This is what I want but there is a problem, a line is missing, check the picture.
If I remove "| appendpipe ..." the graph is drawn right but, of course, there isn't the test point.
I guess the problem is that your timestamp 1487771030 is not matching any of the _time value after timechart (span is not specified or even if specified, may not match 1487771030 ). In the Chart Format options, In General section, select 'Null Values' as 'Connect'.
You are awesome!!!!!!!!!
It worked!!!!
Thanks
Make the overlay a column chart
It was already an overlay