topic Re: How to display the difference of results by source as a single value ,along with trending arrow of difference in Splunk Search

How to display the difference of results by source as a single value ,along with trending arrow of difference

avni26 — Wed, 30 Sep 2020 02:41:00 GMT

Hi Team,
I have multiple sources in sourcetype. Want to see difference of result from last two sources. Latest source is "date_10162019.csv", and last source is "data_10102019.csv"
I am calculating the result based on latest source and before latest source of a sourcetype from below. And I have to show in trend with difference in up /down arrow.
index="idx" sourcetype=xyz [| search index="idx" sourcetype=xyz| table source,_time,sourcetype,host | dedup source | sort -_time | head 2 | table source]
| table _time "Application Name", source,Status,Environment,sm
| eval status = (some eval condition)
| eval deploy = (some condition)
| search "Status" = Eligible AND "Environment" = Dev
| stats sum(status) as status_sm, sum(deploy) as build , count as count by source
| eval count= count - ( status_sm + build)
| eval per= round((sm)*100/count)
| table source per

Output is like
source per
data_10162019.csv 89
data_10102019.csv 60

I want to show this result in trend , as single value showing latest source output (i.e 89) and in arrow sowing their difference (i.e 29).
Please help.

Re: How to display the difference of results by source as a single value ,along with trending arrow of difference

to4kawa — Wed, 23 Oct 2019 13:27:07 GMT

| stats count
| eval _raw="source,per
data_10162019.csv,89
data_10102019.csv,60"
| multikv forceheader=1
| table source per
| rex field=source "data_(?<time>\d+)"
| eval _time=strptime(time,"%m%d%Y")
| fields _time per source
| sort _time

Hi, this is sample query.

index="idx" sourcetype=xyz [| search index="idx" sourcetype=xyz
| table source,_time,sourcetype,host 
| dedup source | sort -_time | head 2 | table source]
| table _time "Application Name", source,Status,Environment,sm
| eval status = (some eval condition)
| eval deploy = (some condition)
| search "Status" = Eligible AND "Environment" = Dev
| stats sum(status) as status_sm, sum(deploy) as build , count as count by source
| eval count= count - ( status_sm + build)
| eval per= round((sm)*100/count)
| table source per
| rex field=source "data_(?<time>\d+)"
| eval _time=strptime(time,"%m%d%Y")
| fields _time per source
| sort _time

how about this?

Re: How to display the difference of results by source as a single value ,along with trending arrow of difference

dpeukert — Wed, 23 Oct 2019 13:34:39 GMT

Hello,

it seems like you want to use a sparkline in a single value visualization. The second link gives the most important information about it, namely that you need to use the timechart command to be able to get your desired visualization. (You've been using table instead.)

Re: How to display the difference of results by source as a single value ,along with trending arrow of difference

avni26 — Wed, 23 Oct 2019 15:00:48 GMT

@to4kawa Thank you. It perfectly worked for me.

Re: How to display the difference of results by source as a single value ,along with trending arrow of difference

avni26 — Tue, 29 Oct 2019 11:07:15 GMT

Hi @to4kawa
There is another requirement to show trend in last column of table. I have table showing user , result from last source and from latest source. Now want to take difference of results and display in last column in trend. Please help.

Re: How to display the difference of results by source as a single value ,along with trending arrow of difference

to4kawa — Tue, 29 Oct 2019 14:17:36 GMT

Without a sample log, it's hard to understand.
Can you ask me another question?

Re: How to display the difference of results by source as a single value ,along with trending arrow of difference

avni26 — Wed, 30 Sep 2020 02:43:24 GMT

@to4kawa ,

Sample Output

user latest_source_perc last_source_perc difference
xyz 76 70 6
abc 86 82 4

Wanted to show the output like this (where last column will show trend with arrow or sparkline)
user latest_source_perc trend_with arrow
xyz 76 76
6
abc 86 82

4

Re: How to display the difference of results by source as a single value ,along with trending arrow of difference

to4kawa — Tue, 29 Oct 2019 15:22:44 GMT

<dashboard>
  <label>test2</label>
    <search id="baseSearch">
    <query>
      | stats count
| eval _raw="user,latest_source_perc,last_source_perc,difference
xyz,76,70,6
abc,86,82,4"
| multikv forceheader=1
| table user last_source_perc latest_source_perc 
    </query>
  </search>
  <row>
    <panel>
      <title>Base Seach Result</title>
      <table>
        <search base="baseSearch">
          <query>| transpose</query>
        </search>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <title>xyz</title>
      <single>
        <search base="baseSearch">
          <query>| transpose
| fields "row 1"
| streamstats count as _time
| where _time!=1</query>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </single>
    </panel>
    <panel>
      <title>abc</title>
      <single>
        <search base="baseSearch">
          <query>| transpose
| fields "row 2"
| streamstats count as _time
| where _time!=1</query>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </single>
    </panel>
  </row>
</dashboard>