Dashboards & Visualizations

How can I show the single value and the trendline number at the same time?

czunigab
Explorer

Hello,

I want to show a number in a single value and other number in a trendline with the arrow.
For example A, I have this query:

index=quickpay host=f1cloud* "*CompraAutorizacionGenerar* response*" ("xxxxx") sourcetype=QP_busadapter| dedup logid | search "codResp"=0""| rex "\[(?\w+)ServiceStub]" | rex "#MID=(?\w+)#C*" | eval Comercio=case(Comercio=="xxxxx","FACL BF") | rex field=_raw "(?P.+)" | table _time Comercio responseDesc logid  | addcoltotals labelfield=logid | timechart span=30m count(logid) as "Cantidad de autorizaciones"

And it shows like this:
alt text

Then, the results show like this:
alt text

But, if you see, image 1 shows the trendline with the difference between the last number and the penultimate number: 19 - 5 = 14 and it shows -14 in trendline.

But we want to show in trendline the penultimate number, 19, with the arrow downing, because the last number was 5.

How can I show this in Splunk?

Thank you!!

woodcock
Esteemed Legend

I cannot find any way to fake it (I tried fieldformat and several other trickeries) and the documentation (https://docs.splunk.com/Documentation/Splunk/latest/Viz/SingleValueFormatting) does not list out any options so it looks like you will have to make your own custom viz. For anybody else having a go, here is some SPL to get you started:

|  makeresults 
|  eval value="8 9 8 11 15 7 11 19 5"
|  makemv value
| mvexpand value
| streamstats count AS _pos
| eventstats max(_pos) AS _count
| eval _time = _time + _pos
| eval _showvalue=if(_pos == (_count - 1), value, null())
| eventstats first(_showvalue) AS _showvalue
0 Karma

niketn
Legend

@czunigab , As you already have seen

Default Single Value Trend behavior compares final result with penultimate result and shows the final value as the Single Value and Difference between final and penultimate value as Trend Value. Positive or Negative Shows the trend Up or Down
However, your expected behavior is to show penultimate result as Single Value and Final value as Trend Value along with actual trend indicator.

As stated by @woodcock with built in Single value visualization behavior your expected output would not be possible if you want to show trend as well. So you can try with the following without trendline.

Try the following run anywhere examples
Option 1 : Show only last two values no trendline

| makeresults 
| eval _time=relative_time(_time,"@h") 
| eval logid="8 9 8 11 15 7 11 19 5", delta_time=1800 
| makemv logid delim=" " 
| mvexpand logid 
| accum delta_time 
| eval _time=_time-delta_time 
| table _time logid
| tail 2
| reverse
| streamstats count as sno
| streamstats current=f window=1 last(logid) as prev
| reverse
| streamstats current=f window=1 last(logid) as next
| eval logid=if(sno=2,logid+prev,logid)

Option 2: Single Value and Trend as per your requirement but Trendline will not be correct for the final two results

| makeresults 
| eval _time=relative_time(_time,"@h") 
| eval logid="8 9 8 11 15 7 11 19 5", delta_time=1800 
| makemv logid delim=" " 
| mvexpand logid 
| accum delta_time 
| eval _time=_time-delta_time 
| table _time logid
| reverse
| streamstats last(logid) as next_logid current=f window=1
| streamstats count as sno
| reverse
| streamstats last(logid) as prev_logid current=f window=1
| eval final_logid=case(sno=1,prev_logid,sno=2,logid+next_logid,true(),logid)
| table _time final_logid

If you want both trend and trendline as per your expectation you might have to use JavaScript to override the Values in Single Value Visualization for Single Result and Trend values.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

felipesewaybric
Contributor

| sort - _time | head 2

0 Karma

woodcock
Esteemed Legend

This, gives the right big number, but destroys the trendline and gives the wrong trend value.

0 Karma

czunigab
Explorer

Yes, it destroy the trendline and it shows wrong values

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Try adding | tail 2 at the end of your current search.

0 Karma

woodcock
Esteemed Legend

This will not work. It only appeared to work because Splunk resorted your list and reversed it. If you add a | sort 0 _time to put it back to the way that timechart sorts it, you will see that this does not work.

0 Karma

czunigab
Explorer

Hi, I tried, but I got the response: "no results found" 😞

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...