Hi
How to show the single value trend, showing increase or decrease from last week? I have a data which will be daily i have to show increase OR decrease fr last 7 days, compared to previous 7 days.I'm using below, its not working. Any suggestions?
index=abc|timechart span=7d count
Stats count by datemday
Select time range last 7 days from the time picker
how about
index=abc|timechart span=1d count | delta count p=7
modified to tell splunk WHAT to delta...(the count field)
I tried its showing No results Found
@kiran331 - Were you able to test out DalJeanis' updated solution? Did it work? If yes, please don't forget to resolve this post by clicking on "Accept". If you still need more help, please provide a comment with some feedback. Thanks!
My error. Try the new code above.
In line with DalJeanis' answer you can use accum to show cumulative upward trend for selected time frame
index=_internal sourcetype=splunkd log_level=ERROR
| timechart count
| accum count as count
Since this is Cumulative or Running total it will always trend upwards. So you can decide color based on trending in scenarios where Running Total remains zero as either red or green and Running Total increasing as other color based on what you have chosen for zero increment.
Notice no span in timechart and I would also leave Single Value trend interval <option name="trendInterval">auto</option>
to auto, to let Splunk decide the same based on selected timerange i.e. if Search runs for a day both of them will be hourly and if it runs for a week it will change to daily. You can change them as per your need if you have static time frame.