I am looking for the hour in which the maximum number of events take place. My search looks like
... | timechart span=1h sum(count) as Max | sort -Max
From this, I know how to get both the amount of events in that hour and the hour itself, but I would like to show these fields in the same singlevalue panel.
I think there is a way to do this. I tried modifying the .js in "Single Value Trend" from "Splunk 6.x Dashboard Examples", but had no success, so I wonder if somebody could help me.
Any tip will be appreciated, thanks!
Hello! you don't need to modify the .js in Single Value Trend from "Splunk 6.x Dashboard Examples. What you need to modify is your xml code. Try this, with the same Single value Trend js and css code if you likem
<dashboard script="single_trend.js" stylesheet="single_trend.css">
<label>Single Value Trend</label>
<row >
<single>
<searchString>index=_internal | timechart span=24h count| reverse| eval value = count | eval change=_time</searchString>
<earliestTime>-48h</earliestTime>
<option name="field">value</option>
<option name="changeField">change</option>
<option name="changeFieldType">percent</option>
</single>
</row>
</dashboard>
Thanks
you can use trellis option from Splunk version 6.6 onwards
I maybe under thinking your question but have you tried something like
... | timechart span=1h sum(count) as Max | sort -Max | head 1 | eval display = strftime(_time, "%H") . " " .Max | fields display
You will likely want to adjust the strftime command and perhaps add more labels. I often use this for dashboards that serve as reports with something like - Report Period: (earliest_date) - (latest_date)
Hello! you don't need to modify the .js in Single Value Trend from "Splunk 6.x Dashboard Examples. What you need to modify is your xml code. Try this, with the same Single value Trend js and css code if you likem
<dashboard script="single_trend.js" stylesheet="single_trend.css">
<label>Single Value Trend</label>
<row >
<single>
<searchString>index=_internal | timechart span=24h count| reverse| eval value = count | eval change=_time</searchString>
<earliestTime>-48h</earliestTime>
<option name="field">value</option>
<option name="changeField">change</option>
<option name="changeFieldType">percent</option>
</single>
</row>
</dashboard>
Thanks
Wow, thanks, I have never thought it would be so easy.
I have modified some of the options in the .js file to change the icons and so, the problem I am facing now is that after changing the time format I can only see the year.
This is how my searchstring looks after customizing yours:
...| timechart span=1h sum(count) as Max | sort -Max | eval value = Max | eval change=_time | convert timeformat="%Y/%m/%d - %H:%M" ctime(change)
I will take a look at this conversion now, thanks for your answer!
EDIT: Removing the option "chageFieldType" I got the result I was looking for. Thank you very much!
Placing two values in a Single value panel defeats the purpose of the Single Value Panel! You can do it with Simple XML that will at least visually work.
<search id="my_events">
<query>... | timechart span=1h sum(count) as Max latest(date_hour) as date_hour | sort - Max</query>
</search>
<row>
<panel>
<single>
<title></title>
<search base="my_events">
<query>fields date_hour</query>
</search>
<option name="afterLabel">had</option>
<option name="beforeLabel">Hour</option>
</single>
<single>
<title></title>
<search base="my_events">
<query>fields Max</query>
</search>
<option name="afterLabel">items</option>
</single>
</panel>
</row>
You may need to adjust the searches to your data.. but the concept holds.
I know "SingleValue" panel is named SingleValue for a reason, but as I have seen the piece of code in singletrend.js, it is possible to "Inject a new element after the single value visualization", and I want to use that element injected to show a field.
I know how to do it with two panels, thanks for your help but that is not what I am looking for, sorry if I have not explained myself.