I want to show a number in a single value and other number in a trendline with the arrow.
For example A, I have this query:
index=quickpay host=f1cloud* "*CompraAutorizacionGenerar* response*" ("xxxxx") sourcetype=QP_busadapter| dedup logid | search "codResp"=0""| rex "\[(?\w+)ServiceStub]" | rex "#MID=(?\w+)#C*" | eval Comercio=case(Comercio=="xxxxx","FACL BF") | rex field=_raw "(?P.+)" | table _time Comercio responseDesc logid | addcoltotals labelfield=logid | timechart span=30m count(logid) as "Cantidad de autorizaciones"
And it shows like this:
Then, the results show like this:
But, if you see, image 1 shows the trendline with the difference between the last number and the penultimate number: 19 - 5 = 14 and it shows -14 in trendline.
But we want to show in trendline the penultimate number, 19, with the arrow downing, because the last number was 5.
How can I show this in Splunk?
I cannot find any way to fake it (I tried
fieldformat and several other trickeries) and the documentation (https://docs.splunk.com/Documentation/Splunk/latest/Viz/SingleValueFormatting) does not list out any options so it looks like you will have to make your own custom viz. For anybody else having a go, here is some SPL to get you started:
| makeresults | eval value="8 9 8 11 15 7 11 19 5" | makemv value | mvexpand value | streamstats count AS _pos | eventstats max(_pos) AS _count | eval _time = _time + _pos | eval _showvalue=if(_pos == (_count - 1), value, null()) | eventstats first(_showvalue) AS _showvalue
@czunigab , As you already have seen
Default Single Value Trend behavior compares final result with penultimate result and
shows the final value as the Single Value and Difference between final and penultimate value as Trend Value. Positive or Negative Shows the trend Up or Down
However, your expected behavior is to
show penultimate result as Single Value and Final value as Trend Value along with actual trend indicator.
As stated by @woodcock with built in Single value visualization behavior your expected output would not be possible if you want to show trend as well. So you can try with the following without trendline.
Try the following run anywhere examples
Option 1 : Show only last two values no trendline
| makeresults | eval _time=relative_time(_time,"@h") | eval logid="8 9 8 11 15 7 11 19 5", delta_time=1800 | makemv logid delim=" " | mvexpand logid | accum delta_time | eval _time=_time-delta_time | table _time logid | tail 2 | reverse | streamstats count as sno | streamstats current=f window=1 last(logid) as prev | reverse | streamstats current=f window=1 last(logid) as next | eval logid=if(sno=2,logid+prev,logid)
Option 2: Single Value and Trend as per your requirement but Trendline will not be correct for the final two results
| makeresults | eval _time=relative_time(_time,"@h") | eval logid="8 9 8 11 15 7 11 19 5", delta_time=1800 | makemv logid delim=" " | mvexpand logid | accum delta_time | eval _time=_time-delta_time | table _time logid | reverse | streamstats last(logid) as next_logid current=f window=1 | streamstats count as sno | reverse | streamstats last(logid) as prev_logid current=f window=1 | eval final_logid=case(sno=1,prev_logid,sno=2,logid+next_logid,true(),logid) | table _time final_logid
This will not work. It only appeared to work because Splunk resorted your list and reversed it. If you add a
| sort 0 _time to put it back to the way that
timechart sorts it, you will see that this does not work.