Dashboards & Visualizations
Highlighted

How can I show the single value and the trendline number at the same time?

Explorer

Hello,

I want to show a number in a single value and other number in a trendline with the arrow.
For example A, I have this query:

index=quickpay host=f1cloud* "*CompraAutorizacionGenerar* response*" ("xxxxx") sourcetype=QP_busadapter| dedup logid | search "codResp"=0""| rex "\[(?\w+)ServiceStub]" | rex "#MID=(?\w+)#C*" | eval Comercio=case(Comercio=="xxxxx","FACL BF") | rex field=_raw "(?P.+)" | table _time Comercio responseDesc logid  | addcoltotals labelfield=logid | timechart span=30m count(logid) as "Cantidad de autorizaciones"

And it shows like this:
alt text

Then, the results show like this:
alt text

But, if you see, image 1 shows the trendline with the difference between the last number and the penultimate number: 19 - 5 = 14 and it shows -14 in trendline.

But we want to show in trendline the penultimate number, 19, with the arrow downing, because the last number was 5.

How can I show this in Splunk?

Thank you!!

Highlighted

Re: How can I show the single value and the trendline number at the same time?

SplunkTrust
SplunkTrust

Try adding | tail 2 at the end of your current search.

0 Karma
Highlighted

Re: How can I show the single value and the trendline number at the same time?

Explorer

Hi, I tried, but I got the response: "no results found" 😞

0 Karma
Highlighted

Re: How can I show the single value and the trendline number at the same time?

Esteemed Legend

This will not work. It only appeared to work because Splunk resorted your list and reversed it. If you add a | sort 0 _time to put it back to the way that timechart sorts it, you will see that this does not work.

0 Karma
Highlighted

Re: How can I show the single value and the trendline number at the same time?

Contributor

| sort - _time | head 2

0 Karma
Highlighted

Re: How can I show the single value and the trendline number at the same time?

Esteemed Legend

This, gives the right big number, but destroys the trendline and gives the wrong trend value.

0 Karma
Highlighted

Re: How can I show the single value and the trendline number at the same time?

Explorer

Yes, it destroy the trendline and it shows wrong values

0 Karma
Highlighted

Re: How can I show the single value and the trendline number at the same time?

Esteemed Legend

I cannot find any way to fake it (I tried fieldformat and several other trickeries) and the documentation (https://docs.splunk.com/Documentation/Splunk/latest/Viz/SingleValueFormatting) does not list out any options so it looks like you will have to make your own custom viz. For anybody else having a go, here is some SPL to get you started:

|  makeresults 
|  eval value="8 9 8 11 15 7 11 19 5"
|  makemv value
| mvexpand value
| streamstats count AS _pos
| eventstats max(_pos) AS _count
| eval _time = _time + _pos
| eval _showvalue=if(_pos == (_count - 1), value, null())
| eventstats first(_showvalue) AS _showvalue
0 Karma
Highlighted

Re: How can I show the single value and the trendline number at the same time?

Legend

@czunigab , As you already have seen

Default Single Value Trend behavior compares final result with penultimate result and shows the final value as the Single Value and Difference between final and penultimate value as Trend Value. Positive or Negative Shows the trend Up or Down
However, your expected behavior is to show penultimate result as Single Value and Final value as Trend Value along with actual trend indicator.

As stated by @woodcock with built in Single value visualization behavior your expected output would not be possible if you want to show trend as well. So you can try with the following without trendline.

Try the following run anywhere examples
Option 1 : Show only last two values no trendline

| makeresults 
| eval _time=relative_time(_time,"@h") 
| eval logid="8 9 8 11 15 7 11 19 5", delta_time=1800 
| makemv logid delim=" " 
| mvexpand logid 
| accum delta_time 
| eval _time=_time-delta_time 
| table _time logid
| tail 2
| reverse
| streamstats count as sno
| streamstats current=f window=1 last(logid) as prev
| reverse
| streamstats current=f window=1 last(logid) as next
| eval logid=if(sno=2,logid+prev,logid)

Option 2: Single Value and Trend as per your requirement but Trendline will not be correct for the final two results

| makeresults 
| eval _time=relative_time(_time,"@h") 
| eval logid="8 9 8 11 15 7 11 19 5", delta_time=1800 
| makemv logid delim=" " 
| mvexpand logid 
| accum delta_time 
| eval _time=_time-delta_time 
| table _time logid
| reverse
| streamstats last(logid) as next_logid current=f window=1
| streamstats count as sno
| reverse
| streamstats last(logid) as prev_logid current=f window=1
| eval final_logid=case(sno=1,prev_logid,sno=2,logid+next_logid,true(),logid)
| table _time final_logid

If you want both trend and trendline as per your expectation you might have to use JavaScript to override the Values in Single Value Visualization for Single Result and Trend values.




| eval message="Happy Splunking!!!"


0 Karma