Dashboards & Visualizations

Splunk query compare two results

leandromatperei
Path Finder

Guys,

I have the query below in simple Single Value format:

index = event_viewer "collection = PerfMon" | timechart span = 10m count as PerfMon

I need to compare the current value with the last 30 minutes and if it has a difference of more than 50% turn red, this is for values ​​above or below.

Ex: 15:00 -> 1300
3:30 pm -> 1800
4:00 pm -> 3600

My Single Value chart must be red at exactly 16:00.

If it is not clear, please let me know.

0 Karma

to4kawa
Ultra Champion
<form>
  <fieldset submitButton="true" autoRun="true">
    <input type="time" token="field1">
      <label></label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>| makeresults count=2
| streamstats count
| eval _time = if (count==2,relative_time(_time,"-2h@m"), relative_time(_time,"@m")) 
| makecontinuous span=1m _time
| eval count=random() % 200
| timechart span=10m sum(count) as PerfMon
| rename COMMENT as "From here, the logic is"
| streamstats list(PerfMon) as PM window=4
| eval PM_30min=if(mvcount(PM)==4,mvindex(PM,0),NULL)
| reverse
| table _time PerfMon PM_30min |head 1|eval range=if(PerfMon / PM_30min > 2 OR PerfMon / PM_30min < 0.5 , "#FF0000" , "#008000")</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <done>
            <condition>
              <set token="value">$result.PerfMon$</set>
              <set token="color">$result.range$</set>
            </condition>
          </done>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
    <panel>
      <html id="test">
        <head>
          <style>
            #test {height:200px;}

p {display:block;
   color: $color$;
   font-size: 12ex;}
</style>
        </head>
<body>
  <div id="sample">
<p><br/></br>
  $value$</p>
</div>
</body>
      </html>
    </panel>
  </row>
</form>

It is difficult because rangemap related options are gone with single value.
I made it with html instead. But it's NOT cool.

Would someone please make it cool.

0 Karma

to4kawa
Ultra Champion
0 Karma

martynoconnor
Communicator

index = _internal component=Metrics earliest=-60m@m latest=-30m@m | stats count as OldMetrics
| appendcols
[search index = _internal component=Metrics earliest=-30m@m latest=now | stats count as LatestMetrics]
| eval deviation=round(OldMetrics/LatestMetrics,2),deviation=1-deviation
| eval alert=case(deviation<-0.5,"Yes",deviation>-.05 AND deviation<0.5,"No",deviation>0.5,"Yes")

That should give you an example of how you can compare two values across two time periods. For your use case you'd want to format the single value to be red if deviation is between -0.5 and 0.5 (hence you can use the alert field) - if you need to use numeric values cause formatting doesn't let you use Yes/No, then use replace those in the search

0 Karma

leandromatperei
Path Finder

And how can I make this result show me a Single Value in the Preview option?

I need to add the return difference in a Dashboard.

Ex: Below 50% difference turns green, above it turns red.

0 Karma

martynoconnor
Communicator

The issue you might have is that colouring on single values is for ranges. You're looking for deviation percentage, whilst also still retaining the actual result in the single value. You could perhaps have two single values next to each other - one is the literal value, and next to it is the percentage deviation. Then you can colour it on a range.

0 Karma

leandromatperei
Path Finder

Guys can anyone give a help in this part?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...