I am trying to build a dashboard with Total transactions, Total Successful transactions, Total Failed transactions and a time chart with span that shows successful and failed transaction. I would like to give an option to users to pick day-to-day, week-to-week and month-to-month and also number of days or weeks or months they want to compare. Depending on the options they picked, my dashboard displays the relevant information.
Please help me figure out how to achieve this. Day-to-Day will be 7days, week-to-week will be 4weeks and month-to-month will be 4months.
You're welcome to express if there is a better ways of achieving the same outcome.
@sandeepmakkena you should explore the timewrap command (Splunk 6.5 and above). However, depending on the variation in the time overlap you can also check out the Splunk Blog to overlay two time series: https://www.splunk.com/blog/2012/02/19/compare-two-time-ranges-in-one-report.html
Be conscious of Sub Search limitations as data truncation may drop events.
Thanks for the reply, but that does not answer few more questions I Have
1. Best way to display single value of each day ? Like total transactions today, yesterday and day before and so on
2. I would like to give them an option pick span depending on the time range they picked like if it's 24hrs span should display 15min or 30mins or 1hr. if the time range is more than 24hrs span options should be like 1hr etc
If you are showing Time Series Data One option would be to use Single Value Visualization with Trending... however, if you just want to show the total count for a day or previous day etc. You can using Splunk Post Processing Search to perform a sum() of count for a particular day (result of timechart command in the base search) and display the same in Single Value Panel (or HTML Panel).
For Post Processing Search example and Single Value Visualization, please refer to Splunk Dashboard Examples App.