Community:Search Report: How To Add a Threshold

From Splunk Wiki

Jump to: navigation, search

This is an example to add a threshold line in a chart by adding a single value in your search. This example is using a static value.

You should be able to test this search in your Splunk instance because the search is using the _internal index event logs. 

index=_internal source="*splunkd.log*" earliest=-30m@m
   |  timechart span=5m count by component
   | appendcols [ search index=_internal source="*splunkd.log*" earliest=-30m@m
                  | bucket _time span=5m
                  | eval threshold=1000
                  | stats first(threshold) by _time
                  | table threshold ]

Here is the result chart of the search above.
Table threshold.png Chart threshold.png

Retrieved from "http://wiki.splunk.com/Community:Search_Report:_How_To_Add_a_Threshold"
Hot Wiki Topics


About Splunk >
  • Search and navigate IT data from applications, servers and network devices in real-time.
  • Download Splunk