topic Re: How can I create a bar chart with positive and negative values? in Splunk Search

How can I create a bar chart with positive and negative values?

liondancer — Mon, 30 Apr 2018 19:24:46 GMT

How can I create a bar chart with positive and negative values? Here is the use case I have.

I have events coming in per hour from two different machines, A and B. If machine A has 10 more events generate than machine B, the bar chart should shoot UP 10 units. If machine B has 15 more events than machine A, then the bar chart should shoot DOWN 15 units. If machine A and machine B have the same number of events generated then there would be no units displayed.

I am pretty new to Splunk so I am not sure where to start to create something like this

Re: How can I create a bar chart with positive and negative values?

somesoni2 — Mon, 30 Apr 2018 21:19:25 GMT

Try something on this line.. (assuming you want some sort of timechart of difference of counts in both machines. Also assuming there is a field machine in your logs with value machineA and machineB)

your base search which collects required logs from machineA and machineB
| timechart span=1d count by machine
| rename COMMENT as "Above line would generate a column for values of field machine, so if the field machine has value machineA and machineB, you'd see two fields called machineA and machineB."
| eval Difference='machineA'-'machineB'
| table _time Difference

Re: How can I create a bar chart with positive and negative values?

woodcock — Tue, 01 May 2018 16:31:26 GMT

Like this:

(index="machine_a" OR index="machine_b") category=web
| timechart span=YourSpanHere count BY index
| eval delta = machine_a - machine_b
| timechart span=YourSpanHere first(delta) AS delta

BTW, putting each host in a separate index is probably not the right way to partition your data (although in some cases it can make sense).

Re: How can I create a bar chart with positive and negative values?

liondancer — Tue, 01 May 2018 19:24:27 GMT

Being new to Splunk, how can I PIPE the logs from machine A and machine B to the same chart? My query looks something like this for machine A index="machine_a" category=web and this for machine B index="machine_b" category=web.

Re: How can I create a bar chart with positive and negative values?

woodcock — Tue, 01 May 2018 19:43:42 GMT

See my answer.

Re: How can I create a bar chart with positive and negative values?

liondancer — Tue, 01 May 2018 20:11:31 GMT

Thanks for the update. I should have added more notes to my query. Log from machine A index="machine_a" category=web event_count=100 and log from machine B index="machine_a" category=web event_count=80. The desired output would be 20 as machine A has 20 more events than machine B. If machine B event_count is 100 and machine A event_count is 80, -20 would be the desired output. While reading your query, I think it takes the difference in the number of LOGS and not event_count. I am also confused as to how to reference machineA and machineB values as you did above

Re: How can I create a bar chart with positive and negative values?

woodcock — Tue, 01 May 2018 20:32:17 GMT

Given your clarification in my previous answer, try this:

 (index="machine_a" OR index="machine_b") category=web
 | timechart span=YourSpanHere avg(event_count) BY index
 | eval delta = machine_a - machine_b
 | timechart span=YourSpanHere first(delta) AS delta

You can replace avg with max or latest or some other aggregation more appropriate.

Re: How can I create a bar chart with positive and negative values?

woodcock — Tue, 01 May 2018 20:34:06 GMT

I had a typo (now corrected) where machineA should have been machine_a, etc. See my new answer for better solution.