https://community.splunk.com/t5/Splunk-Search/Trending-sum-count/m-p/523561#M147660 <P>Thank you. Close however the numbers aren't adding up.</P><P>So for instance: if run stats sum - the total count comes to over 2000. This is the sum of the values in VALUE_NUM. There are multiple events that has VALUE_NUM with the value greater than 0.</P><P>whereas with Timechart - it comes to about 300 (missing 1700)</P><P>These events are usually populated during the weekends and some (small amount of events) come during the day. So the sum of VALUE_NUM over 7 days = 2000; and comparing it to the past 7 days of the sum would be ideal.</P><P>ex:</P><P>Sum of Week1=2500</P><P>Sum of Week2=1800</P><P>Sum of Week3=2000</P><P>So trendline for Week3 would show an uptick of 200 and the count as 2000</P> Thu, 08 Oct 2020 01:04:55 GMT munisb 2020-10-08T01:04:55Z https://community.splunk.com/t5/Splunk-Search/Trending-sum-count/m-p/523553#M147655 <P>Hi,</P><P>I am trying to create a trending single value however having trouble setting it up. Essentially the stats below sums up VALUE_NUM and works as expected however i would like to compare this to 7d period or with the same previous_value of the time-picker</P><LI-CODE lang="markup">index=main VALUE_NUM&gt;0 | dedup UUID | stats sum(VALUE_NUM)</LI-CODE><P>I have tried&nbsp;</P><LI-CODE lang="markup">index=main VALUE_NUM&gt;0 | dedup UUID | timechart count as sum(VALUE_NUM) span=7d</LI-CODE><P>however this isn't returning the correct value</P><P>&nbsp;</P><P>TIA</P> Wed, 07 Oct 2020 23:15:40 GMT https://community.splunk.com/t5/Splunk-Search/Trending-sum-count/m-p/523553#M147655 munisb 2020-10-07T23:15:40Z https://community.splunk.com/t5/Splunk-Search/Trending-sum-count/m-p/523557#M147656 <P>With a single value visualisation, you can add a trend sparkline showing the comparison against earlier, but you need to use timechart</P><LI-CODE lang="markup">index=main VALUE_NUM&gt;0 | dedup UUID | timechart span=1d sum(VALUE_NUM) </LI-CODE><P>and then in the format section of the single value viz, set these</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="bowesmana_0-1602115005335.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/11191i5D4DCB9136048A7D/image-size/medium?v=v2&amp;px=400" role="button" title="bowesmana_0-1602115005335.png" alt="bowesmana_0-1602115005335.png" /></span></P><P>Hope this helps</P><P>Another command you can use is timewrap, which can then show corresponding time periods mapped onto the same chart period&nbsp;</P><P>&nbsp;</P> Wed, 07 Oct 2020 23:57:49 GMT https://community.splunk.com/t5/Splunk-Search/Trending-sum-count/m-p/523557#M147656 bowesmana 2020-10-07T23:57:49Z https://community.splunk.com/t5/Splunk-Search/Trending-sum-count/m-p/523561#M147660 <P>Thank you. Close however the numbers aren't adding up.</P><P>So for instance: if run stats sum - the total count comes to over 2000. This is the sum of the values in VALUE_NUM. There are multiple events that has VALUE_NUM with the value greater than 0.</P><P>whereas with Timechart - it comes to about 300 (missing 1700)</P><P>These events are usually populated during the weekends and some (small amount of events) come during the day. So the sum of VALUE_NUM over 7 days = 2000; and comparing it to the past 7 days of the sum would be ideal.</P><P>ex:</P><P>Sum of Week1=2500</P><P>Sum of Week2=1800</P><P>Sum of Week3=2000</P><P>So trendline for Week3 would show an uptick of 200 and the count as 2000</P> Thu, 08 Oct 2020 01:04:55 GMT https://community.splunk.com/t5/Splunk-Search/Trending-sum-count/m-p/523561#M147660 munisb 2020-10-08T01:04:55Z