Dashboards & Visualizations

Single value with trend to compare the results of the current week to previous week

uveys
Engager

Hi everyone!

I have the following single value with trend:

<single>
   <search>
        <query>type"something" abc="$xyz$" res!=220
                    | timechart sum(field1) as Count span=7d 
        </query>
        <earliest>-7d@d</earliest>
        <latest>now</latest>
    </search>
    <option name="trendInterval">-7d</option>
    <option name="colorBy">trend</option>
    <option name="useColors">1</option>       
    <option name="showSparkline">1</option>
    <option name="underLabel">Compared to a week before</option>
    <option name="drilldown">all</option>
 </single>

Now what i wanna have is the comparison between the accumulative results of the current week to the previous week. However the query compares only the results of the current day to the previous week instead of the sum of the results received in the current week, up to the current day (Example: Let's assume today is Wednesday and i want to compare the sum of the results of Monday, Tuesday and Wednesday combined, to the week before, not just Wednesday. What i mean by "current week" can also be described as the "selected week" regarding to the time token value)

Thanks in advance!

0 Karma
1 Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust

@uveys

Can you please try by changing search:

type"something" abc="$xyz$" res!=220
                     | timechart sum(field1) as Count span=w

2nd

 <earliest>-2w@w</earliest>
 <latest>now</latest>

3rd

 <option name="trendInterval">w</option>

View solution in original post

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@uveys

Can you please try by changing search:

type"something" abc="$xyz$" res!=220
                     | timechart sum(field1) as Count span=w

2nd

 <earliest>-2w@w</earliest>
 <latest>now</latest>

3rd

 <option name="trendInterval">w</option>
0 Karma

uveys
Engager

Thanks for the suggestion! The value is the same as before (which is the correct value, because today is Monday and the comparison works either way) but the trend value disappears with this optimization. Besides if i select the previous week on dropdown, the value doesn't change, due to not using the global time token

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@uveys

I think with below changes it is working for me so for you also.

Splunk considers Sunday as the first day of the week. As your week starts with Monday I suggest you change in search earliest.

type"something" abc="$xyz$" res!=220 earliest=-1w@w1 | timechart sum(field1) as Count span=w

This will start the search by considering Monday as week start days.

For comparison, just for testing purpose and our searc hwill return only 2 rows, remove trendInterval option.

For: Besides if i select the previous week on dropdown, the value doesn't change, due to not using the global time token : You can mention global time picker in earliest latest to referesh panel but it will not inpact result as we set earliest in search..

Just sharing my sample code:

<panel>
      <title>ABCD</title>
      <single>
        <search>
          <query>index=_internal component="*" earliest=-1w@w1 | timechart count span=w</query>
          <earliest>$field1.earliest$</earliest>
          <latest>$field1.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
         <option name="colorBy">trend</option>
         <option name="useColors">1</option>       
         <option name="showSparkline">1</option>
         <option name="underLabel">Compared to a week before</option>
         <option name="drilldown">all</option>
      </single>
    </panel>
0 Karma

uveys
Engager

I don't quite understand the usage of

       <earliest>$field1.earliest$</earliest>
       <latest>$field1.latest$</latest>

Is that the same field that i'm doing the timechart sum operation with? If yes, i get the following error message: "Search process is waiting for input". I also tried it with your exact sample code, with the aforementioned field, the result is still the same

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@uveys

$field1.earliest$ is my timerage token.. You have to use here your timerange token name.,

0 Karma

uveys
Engager

Thanks kamlesh_vangela, it works now!
Best Regards

0 Karma

niketn
Legend

@uveys please accept/upvote the answer if it helped!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...