All Apps and Add-ons

How to show two values in the same Single Value panel?

enriquefernande
Explorer

I am looking for the hour in which the maximum number of events take place. My search looks like

... | timechart span=1h sum(count) as Max | sort -Max

From this, I know how to get both the amount of events in that hour and the hour itself, but I would like to show these fields in the same singlevalue panel.
I think there is a way to do this. I tried modifying the .js in "Single Value Trend" from "Splunk 6.x Dashboard Examples", but had no success, so I wonder if somebody could help me.
Any tip will be appreciated, thanks!

0 Karma
1 Solution

stephanefotso
Motivator

Hello! you don't need to modify the .js in Single Value Trend from "Splunk 6.x Dashboard Examples. What you need to modify is your xml code. Try this, with the same Single value Trend js and css code if you likem

<dashboard script="single_trend.js" stylesheet="single_trend.css">
    <label>Single Value Trend</label>
    <row >
        <single>
            <searchString>index=_internal | timechart span=24h count| reverse| eval value = count | eval change=_time</searchString>
            <earliestTime>-48h</earliestTime>
            <option name="field">value</option>
            <option name="changeField">change</option>
            <option name="changeFieldType">percent</option>
        </single>

    </row>
</dashboard>

Thanks

SGF

View solution in original post

thambisetty
SplunkTrust
SplunkTrust

you can use trellis option from Splunk version 6.6 onwards

————————————
If this helps, give a like below.
0 Karma

Runals
Motivator

I maybe under thinking your question but have you tried something like

 ... | timechart span=1h sum(count) as Max | sort -Max | head 1 | eval display = strftime(_time, "%H") . " " .Max | fields display

You will likely want to adjust the strftime command and perhaps add more labels. I often use this for dashboards that serve as reports with something like - Report Period: (earliest_date) - (latest_date)

0 Karma

stephanefotso
Motivator

Hello! you don't need to modify the .js in Single Value Trend from "Splunk 6.x Dashboard Examples. What you need to modify is your xml code. Try this, with the same Single value Trend js and css code if you likem

<dashboard script="single_trend.js" stylesheet="single_trend.css">
    <label>Single Value Trend</label>
    <row >
        <single>
            <searchString>index=_internal | timechart span=24h count| reverse| eval value = count | eval change=_time</searchString>
            <earliestTime>-48h</earliestTime>
            <option name="field">value</option>
            <option name="changeField">change</option>
            <option name="changeFieldType">percent</option>
        </single>

    </row>
</dashboard>

Thanks

SGF

enriquefernande
Explorer

Wow, thanks, I have never thought it would be so easy.
I have modified some of the options in the .js file to change the icons and so, the problem I am facing now is that after changing the time format I can only see the year.
This is how my searchstring looks after customizing yours:
...| timechart span=1h sum(count) as Max | sort -Max | eval value = Max | eval change=_time | convert timeformat="%Y/%m/%d - %H:%M" ctime(change)

I will take a look at this conversion now, thanks for your answer!

EDIT: Removing the option "chageFieldType" I got the result I was looking for. Thank you very much!

alacercogitatus
SplunkTrust
SplunkTrust

Placing two values in a Single value panel defeats the purpose of the Single Value Panel! You can do it with Simple XML that will at least visually work.

<search id="my_events">
<query>... | timechart span=1h sum(count) as Max latest(date_hour) as date_hour | sort - Max</query>
</search>
<row>
<panel>
  <single>
    <title></title>
    <search base="my_events">
      <query>fields date_hour</query>
    </search>
    <option name="afterLabel">had</option>
    <option name="beforeLabel">Hour</option>
  </single>
  <single>
    <title></title>
    <search base="my_events">
      <query>fields Max</query>
    </search>
    <option name="afterLabel">items</option>
  </single>
</panel>
</row>

You may need to adjust the searches to your data.. but the concept holds.

enriquefernande
Explorer

I know "SingleValue" panel is named SingleValue for a reason, but as I have seen the piece of code in singletrend.js, it is possible to "Inject a new element after the single value visualization", and I want to use that element injected to show a field.
I know how to do it with two panels, thanks for your help but that is not what I am looking for, sorry if I have not explained myself.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...