Dashboards & Visualizations

How do you compare a Single Value visualization to a sum of the prior day

ccsfdave
Builder

Greetings,

My search is essentially a couple of time charts counting tweets and mentions. For final presentation I remove the tweet and mention fields and am left with the addtotals col=t as seen below. My single value dashboard gives me the 291 number at the bottom but then the % change is over 1000% because 291 is so much higher than 26. The reality is I want 291 compared to 265. So that would be like 9-10%.

_time          Total
2016-07-28  48
2016-07-29  120
2016-07-30  18
2016-07-31  79
2016-08-01  26
ColTotal    291

Can anyone think how I may accomplish this?

Thanks!

0 Karma
1 Solution

ccsfdave
Builder

|addtotals | streamstats sum(Total) as post_volume |fields - tweets mentions Total

I think this is the long and short of it. Definitely streamstat was the winner but had to change addtotals col=t to remove the column.

View solution in original post

ccsfdave
Builder

|addtotals | streamstats sum(Total) as post_volume |fields - tweets mentions Total

I think this is the long and short of it. Definitely streamstat was the winner but had to change addtotals col=t to remove the column.

twinspop
Influencer

streamstats is what you probably want. Leave out the addcoltotals, and then something along the lines of:

... | streamstats window=5 current=t sum(count) as total | delta total as change | eval %=change/(total-change) | fields _time total %
0 Karma

ccsfdave
Builder

@twinspop I need the addtotals because I am adding two column together for the totals column. I will try your solution with the totals as I have it but am dubious it will work in the single value visualization but am hoping my suspicions are unfounded.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...