Hi,
I upgraded my splunk to 6.3.
I am working with single value option of splunk.
In single value we have "compare to" option to create trend using timechart.
I just want to know how custom option of compare to works.
I tried searching some document which can explain me this but not able to find.
It will be helpful if anyone can help me with this.
Thanks
I had the same problem. Best documentation i could find was Simple XML Reference (search for trendInterval
). I figured it out using the following query:
| gentimes start=12/09/2015 end=12/10/2015 increment=1h
| streamstats count as n
| eval n=n*n
| eval _time=starttime
| fields _time n
| timechart span=1h sum(n) as count
This query simply generates testdata.
Set the time range for the search to (12/09/2015 00:00:00 to 12/09/2015 24:00:00).
Now try changing Compared to to Custom 3 Hours. The trend compares the last value in the result (576) to the value 3 hours before the last value (441) resulting in a value of 576-441=135 or (576-441)/441=30.6%.
I had the same problem. Best documentation i could find was Simple XML Reference (search for trendInterval
). I figured it out using the following query:
| gentimes start=12/09/2015 end=12/10/2015 increment=1h
| streamstats count as n
| eval n=n*n
| eval _time=starttime
| fields _time n
| timechart span=1h sum(n) as count
This query simply generates testdata.
Set the time range for the search to (12/09/2015 00:00:00 to 12/09/2015 24:00:00).
Now try changing Compared to to Custom 3 Hours. The trend compares the last value in the result (576) to the value 3 hours before the last value (441) resulting in a value of 576-441=135 or (576-441)/441=30.6%.
thanks krdo.:)