Event annotations is a wonderful feature of Splunk, which allow us to correlate two different search result based on time.
For example, we have a chart which is showing us the number of users logged in per day for the last 30 days. Over this data, we will add an event annotation which will show us the number of times servers were down.
Here we will use this query as our main query, which is showing us the number of times status=200 is counted over time.
index=_internal status=200 |timechart count by status
Now we will save this query in the dashboard by clicking Save as > Dashboard Panel.
Now go to the dashboard and change the visualization to “Line Chart”. Click on “Edit” go to the “Source Code” and follow the instruction below.
Therefore the above portion covered in the red box is responsible for event annotations.
This is the query that is giving us the information of “WARN” and “ERROR”. And using the eval command we have created a field called “annotation_category” where we will mention the field name of the event annotation field values.
index=_internal (log_level="WARN" OR log_level="ERROR") | eval annotation_category = log_level
Within the option tag, we have used an option called “charting.annotation.categoryColors” to mention the flag color.
Now then save it and refresh the dashboard.
Now, It looks great right, here red flags are for “ERROR” and yellow flags are for “WARN”.
NOTE: in the form to create event annotations _the time field is a mandatory field.
Hope you all have enjoyed this short blog on “Understanding of Event Annotations in Splunk“. If any queries then please let us know in the know comment section. and once again we will back with another interesting blog on Splunk, till then stay tuned.
Happy Splunking !!