上QQ阅读APP看书，第一时间看更新

Event annotations

An annotation is generally defined as an explanation or comment; event annotations are new in Splunk version 7.0. With the implementation of this feature, you can now add explanations or context to trends returned by Splunk (time) charts. Splunk event annotations are presented as colored flags that display time stamp information and custom descriptions in labels when you hover your mouse over them, as shown in the example in the following screenshot:

To illustrate how an event annotation could be used, Splunk offers an example where administrators are monitoring machine logs looking for user login errors. There is a Splunk chart that has been created to show login errors over time, and an event annotation has been added to flag the times when the servers are down for maintenance (during that time period).

With the server downtimes annotated, it can easily be concluded that the two events (servers down and login errors) are related. Using event annotations in this way gives you the ability to correlate or associate discrete datasets.

Event annotations are created using simple XML using the Splunk command search type="annotation" and are supported only for line charts, column charts, and area charts.