- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Re: How to show two values in the same Single Valu...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am looking for the hour in which the maximum number of events take place. My search looks like
... | timechart span=1h sum(count) as Max | sort -Max
From this, I know how to get both the amount of events in that hour and the hour itself, but I would like to show these fields in the same singlevalue panel.
I think there is a way to do this. I tried modifying the .js in "Single Value Trend" from "Splunk 6.x Dashboard Examples", but had no success, so I wonder if somebody could help me.
Any tip will be appreciated, thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello! you don't need to modify the .js in Single Value Trend from "Splunk 6.x Dashboard Examples. What you need to modify is your xml code. Try this, with the same Single value Trend js and css code if you likem
<dashboard script="single_trend.js" stylesheet="single_trend.css">
<label>Single Value Trend</label>
<row >
<single>
<searchString>index=_internal | timechart span=24h count| reverse| eval value = count | eval change=_time</searchString>
<earliestTime>-48h</earliestTime>
<option name="field">value</option>
<option name="changeField">change</option>
<option name="changeFieldType">percent</option>
</single>
</row>
</dashboard>
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
you can use trellis option from Splunk version 6.6 onwards
If this helps, give a like below.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I maybe under thinking your question but have you tried something like
... | timechart span=1h sum(count) as Max | sort -Max | head 1 | eval display = strftime(_time, "%H") . " " .Max | fields display
You will likely want to adjust the strftime command and perhaps add more labels. I often use this for dashboards that serve as reports with something like - Report Period: (earliest_date) - (latest_date)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello! you don't need to modify the .js in Single Value Trend from "Splunk 6.x Dashboard Examples. What you need to modify is your xml code. Try this, with the same Single value Trend js and css code if you likem
<dashboard script="single_trend.js" stylesheet="single_trend.css">
<label>Single Value Trend</label>
<row >
<single>
<searchString>index=_internal | timechart span=24h count| reverse| eval value = count | eval change=_time</searchString>
<earliestTime>-48h</earliestTime>
<option name="field">value</option>
<option name="changeField">change</option>
<option name="changeFieldType">percent</option>
</single>
</row>
</dashboard>
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Wow, thanks, I have never thought it would be so easy.
I have modified some of the options in the .js file to change the icons and so, the problem I am facing now is that after changing the time format I can only see the year.
This is how my searchstring looks after customizing yours:
...| timechart span=1h sum(count) as Max | sort -Max | eval value = Max | eval change=_time | convert timeformat="%Y/%m/%d - %H:%M" ctime(change)
I will take a look at this conversion now, thanks for your answer!
EDIT: Removing the option "chageFieldType" I got the result I was looking for. Thank you very much!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Placing two values in a Single value panel defeats the purpose of the Single Value Panel! You can do it with Simple XML that will at least visually work.
<search id="my_events">
<query>... | timechart span=1h sum(count) as Max latest(date_hour) as date_hour | sort - Max</query>
</search>
<row>
<panel>
<single>
<title></title>
<search base="my_events">
<query>fields date_hour</query>
</search>
<option name="afterLabel">had</option>
<option name="beforeLabel">Hour</option>
</single>
<single>
<title></title>
<search base="my_events">
<query>fields Max</query>
</search>
<option name="afterLabel">items</option>
</single>
</panel>
</row>
You may need to adjust the searches to your data.. but the concept holds.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I know "SingleValue" panel is named SingleValue for a reason, but as I have seen the piece of code in singletrend.js, it is possible to "Inject a new element after the single value visualization", and I want to use that element injected to show a field.
I know how to do it with two panels, thanks for your help but that is not what I am looking for, sorry if I have not explained myself.
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
