Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to show the difference in data values on timechart?

yourcd
New Member
‎04-18-2019 03:04 PM

I have a time chart showing counts over a period of time using a bar chart. How to show the difference between the values on a bar? I want to display a hike(+/-) of the current count over the last count value. Please help.

Tags (1)
0 Karma
Reply

yourcd
New Member
‎04-26-2019 11:15 AM

Let me re-phrase what is the scenario. In our application, we run a data report utility on demand which generates loggers of total count files in the application. While making a Splunk dashboard, I want to show the total files count generated over the period of time. This I a doing using timechart. However, I also wanted to show total file count growth compared to the last total count. The challenge I am facing here is, we don't have any specific frequency (1d, or 1week, 1month) for utility execution. The utility may be invoked 2-3 times in a day or once in 2 days from end users. The goal is to showcase total asset count whenever utility is executed and how much is the growth after last execution. I found the "delta" keyword which may help me but still struggling to leverage it to get exact result.

The end goal is to show a stacked bar chart with the upper stack representing the count growth and lower stack representing the total count.

0 Karma
Reply

woodcock
Esteemed Legend
‎04-26-2019 05:54 PM

Why are we messing around? Post sample events, then post a mockup of the desired output.

0 Karma
Reply

Anam
Community Manager
Community Manager
‎04-24-2019 08:56 AM

Hi @yourcd

Looks like you have a few possible solutions to your question. If one of them provided a working solution, please don't forget to click "Accept" below the best answer to resolve this post. If you still need help, please leave a comment. Don’t forget to upvote anything that was helpful too.

Thanks!

0 Karma
Reply

yourcd
New Member
‎04-26-2019 11:03 AM

Hi assidique,

Actually I am still looking out for the relevant answer.

0 Karma
Reply

woodcock
Esteemed Legend
‎04-21-2019 06:08 AM

Do your timechart and pipe it to another timechart. Here is a run-anywhere example:

index=_* sourcetype=splunkd earliest=-24h latest=now
| timechart span=1h count BY group 
| untable _time group count
| streamstats current=f last(count) AS prev_count BY group
| eval diff = coalesce(prev_count - count, 0)
0 Karma
Reply

skoelpin
SplunkTrust
SplunkTrust
‎04-18-2019 04:47 PM

Assuming the previous value you mentioned is the previous value, you can use streamstats to do this like so

| streamstats window=1 latest(<FIELD_NAME>)

If you meant you want to see the difference between the value today at this time and yesterday at the same time, you use timewrap like this 

| timechart ... 
| timewrap 1d
0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...