topic Re: Splunk Trend Indicator Single Value - Assistance would be appreciated in Splunk Search

Splunk Trend Indicator Single Value - Assistance would be appreciated

colinmchugo — Wed, 12 Jul 2017 16:46:31 GMT

I have panels that produce a number using the stat command (stats count | where count=0] | stats count) at the end of each panels calculations with a field that ensures not n/a. What i want to do is show the trend of this number over the last 24 hours or week. I was considering using trend lines but this may work better.

So i need some formula that calculates the number of events from a previous 24 hours i am guessing the avg command and then compares this to current day so i want to see the trends but also want to know if and when this log is not working for some reason. thanks C.

Re: Splunk Trend Indicator Single Value - Assistance would be appreciated

niketn — Wed, 12 Jul 2017 19:13:06 GMT

You can show trendline and trend indicator by switching from stats to timechart. You can start off with the following which shows a timechart for last 24 hours with a span of 1 hour.

<YourBaseSearch> earliest=-24h@h latest=now()
| timechart span=1 count

Trend indicator above will be based on current and previous hour. You have several options available with this visualization which you can try out from Splunk UI Edit > Format Visualization option. Refer to documentation for details: https://docs.splunk.com/Documentation/Splunk/latest/Viz/SingleValueGenerate

Re: Splunk Trend Indicator Single Value - Assistance would be appreciated

woodcock — Thu, 13 Jul 2017 01:15:13 GMT

Check this out (it will blow your mind):

https://answers.splunk.com/answers/511894/how-to-use-the-timewrap-command-and-set-an-alert-f.html#answer-512022

Re: Splunk Trend Indicator Single Value - Assistance would be appreciated

colinmchugo — Thu, 13 Jul 2017 09:16:30 GMT

Thanks so much i am going through this and hopefully it will resolve my issue, really appreciate your assistance.

Re: Splunk Trend Indicator Single Value - Assistance would be appreciated

colinmchugo — Thu, 13 Jul 2017 09:16:37 GMT

Thanks so much i am going through this and hopefully it will resolve my issue, really appreciate your assistance.

Re: Splunk Trend Indicator Single Value - Assistance would be appreciated

colinmchugo — Thu, 13 Jul 2017 15:56:28 GMT

Hi i am still not where i want to be and that maybe because i want to make my panels in a way that when someone drills down to this data it produces a table so this would be in the query then ended by a stats count just to get the number of times e.g. someone logged into a system.

I have found | timechart count | timechart per_day(count) span=24h but i am unsure if this is what i want as it differs numbers wise from the stats count but i am trying to ascertain if this is due to the way it counts 24 hours (from now or from midnight). So i am getting the trendlines i wanted but not the right math.

So id greatly appreciate some more assistance to crack this thing as its annoying when you can get a result.

Re: Splunk Trend Indicator Single Value - Assistance would be appreciated

colinmchugo — Thu, 13 Jul 2017 15:56:36 GMT

So id greatly appreciate some more assistance to crack this thing as its annoying when you can get a result.

Re: Splunk Trend Indicator Single Value - Assistance would be appreciated

colinmchugo — Thu, 13 Jul 2017 16:12:52 GMT

So to be as clear as i can be for example lets say i am getting a result of 36 events which have occurred in the last 24 hours (dropdown box selection). But the visualization with the above is showing 7 -22 or down 22 from yesterday as i understand it. Why does this not add up too 36? thanks again. I have used two sources by ID & by Source time like as follows which both have the 7 -22| timechart span=1d count by SourceType but yet there are 36 events. I just want to verify that the data is correct and i am not displaying incorrect figures as i want to see the number of instances in last 24 hours and show if this up or down from yesterday with a little trend line would be brilliant as this would show if the logs are functioning as they should be. thanks

Re: Splunk Trend Indicator Single Value - Assistance would be appreciated

colinmchugo — Thu, 13 Jul 2017 16:13:09 GMT

Re: Splunk Trend Indicator Single Value - Assistance would be appreciated

mattymo — Thu, 13 Jul 2017 16:36:50 GMT

Hey colinmchugo!

is this what you are after?

The key is to run your search over the proper amount of time to ensure you have your current value and the value you want to compare to. I would suggest looking at timechart rather than stats, because you need to retain the context of time in your comparison.

In this simple example, I am searching the count of events in my index over the last 48 hours:

index=n00blab 
|  timechart partial=f span=1h count

I used partial=f as to not compare buckets that are not finished yet. If you need the comparison to be more "real-time" just shorten your span. 5m usually does the trick and is good for human response and operational insight.

The i used the single indicator viz, and set the format to compare to the last 24 hours...You can customize this as you wish.

Is this getting closer?

Re: Splunk Trend Indicator Single Value - Assistance would be appreciated

thulasikrishnan — Thu, 29 Aug 2019 14:59:48 GMT

partial=f ftw!

Re: Splunk Trend Indicator Single Value - Assistance would be appreciated

aferone — Fri, 14 Feb 2020 19:22:11 GMT

I had to make sure I commented and THANK YOU for the "partial = f". I was going a little crazy. Thank you!!