Hello,
I want to show a number in a single value and other number in a trendline with the arrow.
For example A, I have this query:
index=quickpay host=f1cloud* "*CompraAutorizacionGenerar* response*" ("xxxxx") sourcetype=QP_busadapter| dedup logid | search "codResp"=0""| rex "\[(?\w+)ServiceStub]" | rex "#MID=(?\w+)#C*" | eval Comercio=case(Comercio=="xxxxx","FACL BF") | rex field=_raw "(?P.+)" | table _time Comercio responseDesc logid | addcoltotals labelfield=logid | timechart span=30m count(logid) as "Cantidad de autorizaciones"
And it shows like this:
Then, the results show like this:
But, if you see, image 1 shows the trendline with the difference between the last number and the penultimate number: 19 - 5 = 14 and it shows -14 in trendline.
But we want to show in trendline the penultimate number, 19, with the arrow downing, because the last number was 5.
How can I show this in Splunk?
Thank you!!
I cannot find any way to fake it (I tried fieldformat
and several other trickeries) and the documentation (https://docs.splunk.com/Documentation/Splunk/latest/Viz/SingleValueFormatting) does not list out any options so it looks like you will have to make your own custom viz. For anybody else having a go, here is some SPL to get you started:
| makeresults
| eval value="8 9 8 11 15 7 11 19 5"
| makemv value
| mvexpand value
| streamstats count AS _pos
| eventstats max(_pos) AS _count
| eval _time = _time + _pos
| eval _showvalue=if(_pos == (_count - 1), value, null())
| eventstats first(_showvalue) AS _showvalue
@czunigab , As you already have seen
Default Single Value Trend behavior compares final result with penultimate result and shows the final value as the Single Value and Difference between final and penultimate value as Trend Value. Positive or Negative Shows the trend Up or Down
However, your expected behavior is to show penultimate result as Single Value and Final value as Trend Value along with actual trend indicator
.
As stated by @woodcock with built in Single value visualization behavior your expected output would not be possible if you want to show trend as well. So you can try with the following without trendline.
Try the following run anywhere examples
Option 1 : Show only last two values no trendline
| makeresults
| eval _time=relative_time(_time,"@h")
| eval logid="8 9 8 11 15 7 11 19 5", delta_time=1800
| makemv logid delim=" "
| mvexpand logid
| accum delta_time
| eval _time=_time-delta_time
| table _time logid
| tail 2
| reverse
| streamstats count as sno
| streamstats current=f window=1 last(logid) as prev
| reverse
| streamstats current=f window=1 last(logid) as next
| eval logid=if(sno=2,logid+prev,logid)
Option 2: Single Value and Trend as per your requirement but Trendline will not be correct for the final two results
| makeresults
| eval _time=relative_time(_time,"@h")
| eval logid="8 9 8 11 15 7 11 19 5", delta_time=1800
| makemv logid delim=" "
| mvexpand logid
| accum delta_time
| eval _time=_time-delta_time
| table _time logid
| reverse
| streamstats last(logid) as next_logid current=f window=1
| streamstats count as sno
| reverse
| streamstats last(logid) as prev_logid current=f window=1
| eval final_logid=case(sno=1,prev_logid,sno=2,logid+next_logid,true(),logid)
| table _time final_logid
If you want both trend and trendline as per your expectation you might have to use JavaScript to override the Values in Single Value Visualization for Single Result and Trend values.
| sort - _time | head 2
This, gives the right big number, but destroys the trendline and gives the wrong trend value.
Yes, it destroy the trendline and it shows wrong values
Try adding | tail 2
at the end of your current search.
This will not work. It only appeared to work because Splunk resorted your list and reversed it. If you add a | sort 0 _time
to put it back to the way that timechart
sorts it, you will see that this does not work.
Hi, I tried, but I got the response: "no results found" 😞