This quick tip shows how easy it is to add an annotation to a timechart. Annotations are a great way to add some additional relevant information to a timeline. I’ve used them in the following scenarios recently:

  • indicate when a code deployment took place
    • helps answer questions like: did things get better or worse after the code deployment
  • plot times of significant errors on a timeline and visualise whether they were the root cause of some disruption
  • track the current time on a timeline – I recently used this alongside timewrap, where I was showing the current day’s data alongside yesterday’s. It was useful to see exactly where we were in the day so that any data gaps could be spotted

Scenario

This week’s tip builds on the dashboard produced last week to track Octopus Energy prices. As this data exists both historically and in the future (and in general we are interested in future prices) it is useful to plot the current time on the timechart.

Before the annotation

The dashboard is powered by reports, which makes the simpleXML nice and well… simple. The images below show you the dashboard and the simpleXML, before we add the annotation:

Adding the annotation

Annotations are powered by additional searches that are associated with the main search/report that powers the visualisation. In this case, we can use makeresults to create an event with the current timestamp. We then use eval to set some text that will be used in the display:

We can then add a few lines of SimpleXML to add the annotation:

<!-- Annotation search -->
<search type="annotation">
    <query>|makeresults|eval annotation_label="current time"</query>
</search>

The inserted section is highlighted in the screenshot below:

Results..

The resulting dashboard looks like this:

Annotations are a powerful way to enhance your visualisations and tell more of a story, pulling in data from different sources to help inform the end user.

Further Reading

Annotations are documented here:

https://docs.splunk.com/Documentation/Splunk/8.1.3/Viz/ChartEventAnnotations


For 2021 we’ve committed to posting a new Splunk tip every week!

If you want to keep up to date on tips like the one above then sign up below:

Subscribe to our newsletter to receive regular updates from iDelta, including news and updates, information on upcoming events, and Splunk tips and tricks from our team of experts. You can also find us on Twitter and LinkedIn.

Subscribe

* indicates required
Posted by:Stuart Robertson

Stuart Robertson is the Consulting Director at iDelta. He is one of the initial founders of iDelta and has worked there since formation in 2001. Stuart holds various certifications in Core Splunk and ITSI. Stuart also holds a Bsc(Hons) in Computing Science from the University of Glasgow.