- Splunk Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- How to show single value trend?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to show single value trend?
Hi
How to show the single value trend, showing increase or decrease from last week? I have a data which will be daily i have to show increase OR decrease fr last 7 days, compared to previous 7 days.I'm using below, its not working. Any suggestions?
index=abc|timechart span=7d count
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Stats count by datemday
Select time range last 7 days from the time picker
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
how about
index=abc|timechart span=1d count | delta count p=7
modified to tell splunk WHAT to delta...(the count field)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I tried its showing No results Found
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@kiran331 - Were you able to test out DalJeanis' updated solution? Did it work? If yes, please don't forget to resolve this post by clicking on "Accept". If you still need more help, please provide a comment with some feedback. Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
My error. Try the new code above.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In line with DalJeanis' answer you can use accum to show cumulative upward trend for selected time frame
index=_internal sourcetype=splunkd log_level=ERROR
| timechart count
| accum count as count
Since this is Cumulative or Running total it will always trend upwards. So you can decide color based on trending in scenarios where Running Total remains zero as either red or green and Running Total increasing as other color based on what you have chosen for zero increment.
Notice no span in timechart and I would also leave Single Value trend interval <option name="trendInterval">auto</option> to auto, to let Splunk decide the same based on selected timerange i.e. if Search runs for a day both of them will be hourly and if it runs for a week it will change to daily. You can change them as per your need if you have static time frame.
| makeresults | eval message= "Happy Splunking!!!"
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics!
New in Observability Cloud - Explicit Bucket Histograms
