Sample Output

avni26 · ‎10-23-2019

Hi Team,
I have multiple sources in sourcetype. Want to see difference of result from last two sources. Latest source is "date_10162019.csv", and last source is "data_10102019.csv"
I am calculating the result based on latest source and before latest source of a sourcetype from below. And I have to show in trend with difference in up /down arrow.
index="idx" sourcetype=xyz [| search index="idx" sourcetype=xyz| table source,_time,sourcetype,host | dedup source | sort -_time | head 2 | table source]
| table _time "Application Name", source,Status,Environment,sm
| eval status = (some eval condition)
| eval deploy = (some condition)
| search "Status" = Eligible AND "Environment" = Dev
| stats sum(status) as status_sm, sum(deploy) as build , count as count by source
| eval count= count - ( status_sm + build)
| eval per= round((sm)*100/count)
| table source per

Output is like
source per
data_10162019.csv 89
data_10102019.csv 60

I want to show this result in trend , as single value showing latest source output (i.e 89) and in arrow sowing their difference (i.e 29).
Please help.

to4kawa · ‎10-23-2019

| stats count
| eval _raw="source,per
data_10162019.csv,89
data_10102019.csv,60"
| multikv forceheader=1
| table source per
| rex field=source "data_(?<time>\d+)"
| eval _time=strptime(time,"%m%d%Y")
| fields _time per source
| sort _time

Hi, this is sample query.

index="idx" sourcetype=xyz [| search index="idx" sourcetype=xyz
| table source,_time,sourcetype,host 
| dedup source | sort -_time | head 2 | table source]
| table _time "Application Name", source,Status,Environment,sm
| eval status = (some eval condition)
| eval deploy = (some condition)
| search "Status" = Eligible AND "Environment" = Dev
| stats sum(status) as status_sm, sum(deploy) as build , count as count by source
| eval count= count - ( status_sm + build)
| eval per= round((sm)*100/count)
| table source per
| rex field=source "data_(?<time>\d+)"
| eval _time=strptime(time,"%m%d%Y")
| fields _time per source
| sort _time

how about this?

View solution in original post

avni26 · ‎10-29-2019

Hi @to4kawa
There is another requirement to show trend in last column of table. I have table showing user , result from last source and from latest source. Now want to take difference of results and display in last column in trend. Please help.

to4kawa · ‎10-29-2019

Without a sample log, it's hard to understand.
Can you ask me another question?

avni26 · ‎10-29-2019

@to4kawa ,

Sample Output

user latest_source_perc last_source_perc difference
xyz 76 70 6
abc 86 82 4

Wanted to show the output like this (where last column will show trend with arrow or sparkline)
user latest_source_perc trend_with arrow
xyz 76 76
6
abc 86 82

4

to4kawa · ‎10-29-2019

<dashboard>
  <label>test2</label>
    <search id="baseSearch">
    <query>
      | stats count
| eval _raw="user,latest_source_perc,last_source_perc,difference
xyz,76,70,6
abc,86,82,4"
| multikv forceheader=1
| table user last_source_perc latest_source_perc 
    </query>
  </search>
  <row>
    <panel>
      <title>Base Seach Result</title>
      <table>
        <search base="baseSearch">
          <query>| transpose</query>
        </search>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <title>xyz</title>
      <single>
        <search base="baseSearch">
          <query>| transpose
| fields "row 1"
| streamstats count as _time
| where _time!=1</query>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </single>
    </panel>
    <panel>
      <title>abc</title>
      <single>
        <search base="baseSearch">
          <query>| transpose
| fields "row 2"
| streamstats count as _time
| where _time!=1</query>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </single>
    </panel>
  </row>
</dashboard>

dpeukert · ‎10-23-2019

Hello,

it seems like you want to use a sparkline in a single value visualization. The second link gives the most important information about it, namely that you need to use the timechart command to be able to get your desired visualization. (You've been using table instead.)

to4kawa · ‎10-23-2019

| stats count
| eval _raw="source,per
data_10162019.csv,89
data_10102019.csv,60"
| multikv forceheader=1
| table source per
| rex field=source "data_(?<time>\d+)"
| eval _time=strptime(time,"%m%d%Y")
| fields _time per source
| sort _time

Hi, this is sample query.

index="idx" sourcetype=xyz [| search index="idx" sourcetype=xyz
| table source,_time,sourcetype,host 
| dedup source | sort -_time | head 2 | table source]
| table _time "Application Name", source,Status,Environment,sm
| eval status = (some eval condition)
| eval deploy = (some condition)
| search "Status" = Eligible AND "Environment" = Dev
| stats sum(status) as status_sm, sum(deploy) as build , count as count by source
| eval count= count - ( status_sm + build)
| eval per= round((sm)*100/count)
| table source per
| rex field=source "data_(?<time>\d+)"
| eval _time=strptime(time,"%m%d%Y")
| fields _time per source
| sort _time

how about this?

avni26 · ‎10-23-2019

@to4kawa Thank you. It perfectly worked for me.

How to display the difference of results by source as a single value ,along with trending arrow of difference

Sample Output

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life