topic Re: Splunk query compare two results in Dashboards & Visualizations

Splunk query compare two results

leandromatperei — Tue, 17 Dec 2019 19:49:07 GMT

Guys,

I have the query below in simple Single Value format:

index = event_viewer "collection = PerfMon" | timechart span = 10m count as PerfMon

I need to compare the current value with the last 30 minutes and if it has a difference of more than 50% turn red, this is for values above or below.

Ex: 15:00 -> 1300
3:30 pm -> 1800
4:00 pm -> 3600

My Single Value chart must be red at exactly 16:00.

If it is not clear, please let me know.

Re: Splunk query compare two results

martynoconnor — Tue, 17 Dec 2019 20:29:35 GMT

index = _internal component=Metrics earliest=-60m@m latest=-30m@m | stats count as OldMetrics
| appendcols
[search index = _internal component=Metrics earliest=-30m@m latest=now | stats count as LatestMetrics]
| eval deviation=round(OldMetrics/LatestMetrics,2),deviation=1-deviation
| eval alert=case(deviation<-0.5,"Yes",deviation>-.05 AND deviation<0.5,"No",deviation>0.5,"Yes")

That should give you an example of how you can compare two values across two time periods. For your use case you'd want to format the single value to be red if deviation is between -0.5 and 0.5 (hence you can use the alert field) - if you need to use numeric values cause formatting doesn't let you use Yes/No, then use replace those in the search

Re: Splunk query compare two results

leandromatperei — Wed, 18 Dec 2019 01:23:27 GMT

And how can I make this result show me a Single Value in the Preview option?

I need to add the return difference in a Dashboard.

Ex: Below 50% difference turns green, above it turns red.

Re: Splunk query compare two results

leandromatperei — Fri, 20 Dec 2019 21:18:31 GMT

Guys can anyone give a help in this part?

Re: Splunk query compare two results

to4kawa — Fri, 20 Dec 2019 23:50:17 GMT

<form>
  <fieldset submitButton="true" autoRun="true">
    <input type="time" token="field1">
      <label></label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>| makeresults count=2
| streamstats count
| eval _time = if (count==2,relative_time(_time,"-2h@m"), relative_time(_time,"@m")) 
| makecontinuous span=1m _time
| eval count=random() % 200
| timechart span=10m sum(count) as PerfMon
| rename COMMENT as "From here, the logic is"
| streamstats list(PerfMon) as PM window=4
| eval PM_30min=if(mvcount(PM)==4,mvindex(PM,0),NULL)
| reverse
| table _time PerfMon PM_30min |head 1|eval range=if(PerfMon / PM_30min > 2 OR PerfMon / PM_30min < 0.5 , "#FF0000" , "#008000")</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <done>
            <condition>
              <set token="value">$result.PerfMon$</set>
              <set token="color">$result.range$</set>
            </condition>
          </done>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
    <panel>
      <html id="test">
        <head>
          <style>
            #test {height:200px;}

p {display:block;
   color: $color$;
   font-size: 12ex;}
</style>
        </head>
<body>
  <div id="sample">
<p><br/></br>
  $value$</p>
</div>
</body>
      </html>
    </panel>
  </row>
</form>

It is difficult because rangemap related options are gone with single value.
I made it with html instead. But it's NOT cool.

Would someone please make it cool.

Re: Splunk query compare two results

to4kawa — Sat, 21 Dec 2019 07:44:18 GMT

simple-xml-i-want-to-create-cool-single-value-disp

as you like.

Re: Splunk query compare two results

martynoconnor — Sat, 21 Dec 2019 11:43:53 GMT

The issue you might have is that colouring on single values is for ranges. You're looking for deviation percentage, whilst also still retaining the actual result in the single value. You could perhaps have two single values next to each other - one is the literal value, and next to it is the percentage deviation. Then you can colour it on a range.