https://community.splunk.com/t5/Splunk-Search/how-to-show-current-ERROR-trend-as-a-single-value/m-p/258929#M77612 <P>If you need trend to be based on last an hour before the current one you need to add the following earliest and latest time to your base search (i.e. <STRONG>last 2 hours</STRONG>) </P> <PRE><CODE> &lt;earliest&gt;-2h@h&lt;/earliest&gt; &lt;latest&gt;now&lt;/latest&gt; </CODE></PRE> <P>Your search query will change as following:</P> <PRE><CODE>index=myindex ERROR co_name=$co_name$ env_name=$env_name$ | timechart span=1h count </CODE></PRE> <P>And then edit <STRONG>Compared to</STRONG> to 1 hour before so that current hour stats are compared with previous hour for trending.</P> <PRE><CODE>&lt;option name="trendInterval"&gt;-1h&lt;/option&gt; </CODE></PRE> <P>This way you will current hour count as Single value and last hour count as trend indicator. </P> <P>PS: Timeline will be restricted to only last two hour as per your need, but you can set -2h@h to even earlier value like -4h@h (last 4 hours) or even -0d@d (beginning of the day) to show hourly sparlike in the trend indicator. However, trend interval will remain 1 hour and current hour will always be compared with previous hour as set in above code block.</P> Thu, 01 Dec 2016 03:50:18 GMT niketn 2016-12-01T03:50:18Z https://community.splunk.com/t5/Splunk-Search/how-to-show-current-ERROR-trend-as-a-single-value/m-p/258925#M77608 <P>HI,<BR /> i am trying to display ERROR count as a single value and using below search</P> <PRE><CODE>index=myindex ERROR co_name=$co_name$ env_name=$env_name$ | timechart span=1m count | eval _time=_time-now()%3600 | sort +_time </CODE></PRE> Wed, 30 Nov 2016 23:02:40 GMT https://community.splunk.com/t5/Splunk-Search/how-to-show-current-ERROR-trend-as-a-single-value/m-p/258925#M77608 rajgowd1 2016-11-30T23:02:40Z https://community.splunk.com/t5/Splunk-Search/how-to-show-current-ERROR-trend-as-a-single-value/m-p/258926#M77609 <P>Why not just add on a '| stats count' or a '|stats count | table count' on the end, that would give you a count of the events you have found.</P> Wed, 30 Nov 2016 23:13:44 GMT https://community.splunk.com/t5/Splunk-Search/how-to-show-current-ERROR-trend-as-a-single-value/m-p/258926#M77609 mrgibbon 2016-11-30T23:13:44Z https://community.splunk.com/t5/Splunk-Search/how-to-show-current-ERROR-trend-as-a-single-value/m-p/258927#M77610 <P>HI,<BR /> i would like to display and want to change this so it shows the continuous last 60 minutes. So if the search is run at 17:00 the single value would show 15:00 to 16:00 and the trend arrow and value with compare is 14:00 to 15:00</P> Wed, 30 Nov 2016 23:27:27 GMT https://community.splunk.com/t5/Splunk-Search/how-to-show-current-ERROR-trend-as-a-single-value/m-p/258927#M77610 rajgowd1 2016-11-30T23:27:27Z https://community.splunk.com/t5/Splunk-Search/how-to-show-current-ERROR-trend-as-a-single-value/m-p/258928#M77611 <P>Take a look here, it mentions a timechart command may produce the result you want:<BR /> <A href="http://docs.splunk.com/Documentation/Splunk/6.5.1/Viz/SingleValueFormatting">link text</A></P> <P>So you may already have the code you need. Have you tried looking at the options for the trend in the xml?</P> Thu, 01 Dec 2016 00:07:34 GMT https://community.splunk.com/t5/Splunk-Search/how-to-show-current-ERROR-trend-as-a-single-value/m-p/258928#M77611 mrgibbon 2016-12-01T00:07:34Z https://community.splunk.com/t5/Splunk-Search/how-to-show-current-ERROR-trend-as-a-single-value/m-p/258929#M77612 <P>If you need trend to be based on last an hour before the current one you need to add the following earliest and latest time to your base search (i.e. <STRONG>last 2 hours</STRONG>) </P> <PRE><CODE> &lt;earliest&gt;-2h@h&lt;/earliest&gt; &lt;latest&gt;now&lt;/latest&gt; </CODE></PRE> <P>Your search query will change as following:</P> <PRE><CODE>index=myindex ERROR co_name=$co_name$ env_name=$env_name$ | timechart span=1h count </CODE></PRE> <P>And then edit <STRONG>Compared to</STRONG> to 1 hour before so that current hour stats are compared with previous hour for trending.</P> <PRE><CODE>&lt;option name="trendInterval"&gt;-1h&lt;/option&gt; </CODE></PRE> <P>This way you will current hour count as Single value and last hour count as trend indicator. </P> <P>PS: Timeline will be restricted to only last two hour as per your need, but you can set -2h@h to even earlier value like -4h@h (last 4 hours) or even -0d@d (beginning of the day) to show hourly sparlike in the trend indicator. However, trend interval will remain 1 hour and current hour will always be compared with previous hour as set in above code block.</P> Thu, 01 Dec 2016 03:50:18 GMT https://community.splunk.com/t5/Splunk-Search/how-to-show-current-ERROR-trend-as-a-single-value/m-p/258929#M77612 niketn 2016-12-01T03:50:18Z https://community.splunk.com/t5/Splunk-Search/how-to-show-current-ERROR-trend-as-a-single-value/m-p/258930#M77613 <P>Thank you,i updated the search string based on your suggestion and its working perfectly</P> Thu, 01 Dec 2016 18:42:46 GMT https://community.splunk.com/t5/Splunk-Search/how-to-show-current-ERROR-trend-as-a-single-value/m-p/258930#M77613 rajgowd1 2016-12-01T18:42:46Z