Hello, I'm a total Splunk novice, so sorry if this is a completely obvious solution.
I have a SingleValue visualization that I'd like to add a trend component to (so I'm switching from `stats count` to `timechart count`. The issue is that I want the discrete events to be aggregated into a single count based on a span consistent with the time picker. The default timechart behavior has all events being counted separately.
Example: Timepicker input is set to last 24 hours. I now want my timechart command to have a span of 24h. This should work dynamically with any timepicker value.
From what I've researched so far, it looks as though I need to mess around with the source xml, and some tokens, but I'm not sure what exactly to do. I tried to simply set `span = $time_tok$`, but that was not successful.
Thanks for the help in advance!
If you want a single value viz with trend, then you cannot have the timechart span=X the same as the time picker window, as you will only get 1 (or two depending on the snap to time picker setting) value.
In that case, you cannot get a trend as the trend works by looking at the data points in the timechart.
There are two aspects to showing trend in single value viz - the timechart span and the trend span, of which the trend span must be equal to or larger than the timechart span for it to have an effect.
So, if you have your time picker of 24 hours, what do you want the trend to show? If you want it to show an hourly trend, you cannot set your timechart span= interval to more than one hour.
The single value viz has a setting where you can set the trend range, but the data must exist for it to show it, e.g. in the XML you can see something like this, which in this case represents a custom trend interval.
<option name="trendInterval">-10m</option>
In order to do dynamic span settings, you will have to play with tokens and some post processing of searches - not too hard. Here is an example dashboard that gives you some basics.
I have included the first panel as a visible panel, so you can see the results of the search that is calculating the tokens, but it's effectively running a search to calculate your time picker window then assuming you want 24 timechart intervals, and the trend comparison to be two intervals. Note the trend sparkline shows the trend across all 24 calculated intervals.
Note that with single value viz and trends, the trend may show odd movements, as the last time window may be smaller than the full span window as it's dependent on the "snap to" setting of the time picker.
<form>
<label>Spans</label>
<fieldset submitButton="false">
<input type="time" token="time_range" searchWhenChanged="true">
<label>Time</label>
<default>
<earliest>-15m</earliest>
<latest>now</latest>
</default>
</input>
</fieldset>
<row>
<panel>
<table>
<search>
<done>
<set token="tc_span">$result.tc_span$</set>
<set token="tr_span">$result.tr_span$</set>
</done>
<query>| makeresults
| addinfo
| eval maxt=if(isnum(info_max_time),info_max_time,now())
| eval spanLength=maxt-info_min_time
| eval mins=floor(spanLength/60)
| eval spanMins=ceil(mins/24)
| eval trendSpan=spanMins*2
| eval tc_span=spanMins."m"
| eval tr_span="-".trendSpan."m"</query>
<earliest>$time_range.earliest$</earliest>
<latest>$time_range.latest$</latest>
</search>
<option name="refresh.display">progressbar</option>
</table>
</panel>
</row>
<row>
<panel>
<single>
<search>
<query>index=_internal
| timechart span=$tc_span$ count</query>
<earliest>$time_range.earliest$</earliest>
<latest>$time_range.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="rangeColors">["0x53a051","0x0877a6","0xf8be34","0xf1813f","0xdc4e41"]</option>
<option name="refresh.display">progressbar</option>
<option name="trendInterval">$tr_span$</option>
</single>
</panel>
</row>
</form>
Hopefully this example dashboard, which searches the _internal index to get data, gives you a leg up to tokens and search handling. If you don't have rights to search that index, just change the index=_internal to something you can see it it will work.
If you want to make that panel invisible, then the simplest way is to change the <row> statement to be
<row depends="$hidden$">
where the "$hidden$" token represents a non existent token, so the panel will never show, but the search still runs.
If you want a single value viz with trend, then you cannot have the timechart span=X the same as the time picker window, as you will only get 1 (or two depending on the snap to time picker setting) value.
In that case, you cannot get a trend as the trend works by looking at the data points in the timechart.
There are two aspects to showing trend in single value viz - the timechart span and the trend span, of which the trend span must be equal to or larger than the timechart span for it to have an effect.
So, if you have your time picker of 24 hours, what do you want the trend to show? If you want it to show an hourly trend, you cannot set your timechart span= interval to more than one hour.
The single value viz has a setting where you can set the trend range, but the data must exist for it to show it, e.g. in the XML you can see something like this, which in this case represents a custom trend interval.
<option name="trendInterval">-10m</option>
In order to do dynamic span settings, you will have to play with tokens and some post processing of searches - not too hard. Here is an example dashboard that gives you some basics.
I have included the first panel as a visible panel, so you can see the results of the search that is calculating the tokens, but it's effectively running a search to calculate your time picker window then assuming you want 24 timechart intervals, and the trend comparison to be two intervals. Note the trend sparkline shows the trend across all 24 calculated intervals.
Note that with single value viz and trends, the trend may show odd movements, as the last time window may be smaller than the full span window as it's dependent on the "snap to" setting of the time picker.
<form>
<label>Spans</label>
<fieldset submitButton="false">
<input type="time" token="time_range" searchWhenChanged="true">
<label>Time</label>
<default>
<earliest>-15m</earliest>
<latest>now</latest>
</default>
</input>
</fieldset>
<row>
<panel>
<table>
<search>
<done>
<set token="tc_span">$result.tc_span$</set>
<set token="tr_span">$result.tr_span$</set>
</done>
<query>| makeresults
| addinfo
| eval maxt=if(isnum(info_max_time),info_max_time,now())
| eval spanLength=maxt-info_min_time
| eval mins=floor(spanLength/60)
| eval spanMins=ceil(mins/24)
| eval trendSpan=spanMins*2
| eval tc_span=spanMins."m"
| eval tr_span="-".trendSpan."m"</query>
<earliest>$time_range.earliest$</earliest>
<latest>$time_range.latest$</latest>
</search>
<option name="refresh.display">progressbar</option>
</table>
</panel>
</row>
<row>
<panel>
<single>
<search>
<query>index=_internal
| timechart span=$tc_span$ count</query>
<earliest>$time_range.earliest$</earliest>
<latest>$time_range.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="rangeColors">["0x53a051","0x0877a6","0xf8be34","0xf1813f","0xdc4e41"]</option>
<option name="refresh.display">progressbar</option>
<option name="trendInterval">$tr_span$</option>
</single>
</panel>
</row>
</form>
Hopefully this example dashboard, which searches the _internal index to get data, gives you a leg up to tokens and search handling. If you don't have rights to search that index, just change the index=_internal to something you can see it it will work.
If you want to make that panel invisible, then the simplest way is to change the <row> statement to be
<row depends="$hidden$">
where the "$hidden$" token represents a non existent token, so the panel will never show, but the search still runs.
Thank you for your detailed explanation. This makes sense to me, and I see now that what I was after was flawed all along.