How to add trend line in saved search

aditsss · ‎02-25-2021

Hi Everyone,

I have one panel which consists of saved search.

The query is below:

|savedsearch "splunk_data_last_24_hours"

<panel>
<single>
<search>
<query>|savedsearch "splunk_data_last_24_hours"</query>
<earliest>$earliest$</earliest>
<latest>$latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="colorBy">value</option>
<option name="colorMode">none</option>
<option name="drilldown">none</option>
<option name="numberPrecision">0.00</option>
<option name="rangeColors">["0x53a051","0x53a051"]</option>
<option name="rangeValues">[0.175]</option>
<option name="refresh.display">progressbar</option>
<option name="showSparkline">1</option>
<option name="showTrendIndicator">1</option>
<option name="trellis.enabled">0</option>
<option name="trellis.scales.shared">1</option>
<option name="trellis.size">medium</option>
<option name="trendColorInterpretation">standard</option>
<option name="trendDisplayMode">absolute</option>
<option name="underLabel">Splunk Data - Last 24 hours</option>
<option name="unit">GB</option>
<option name="unitPosition">after</option>
<option name="useColors">1</option>
<option name="useThousandSeparators">0</option>
</single>
</panel>

How can I add trend here.

Can anyone guide me on this.

Thanks in advance

ITWhisperer · ‎02-25-2021

What does your saved search return?

aditsss · ‎02-26-2021

@ITWhisperer

This is the base query for saved search

index="abc*" OR index="xyz*" | eval raw_len=len(_raw) | stats sum(raw_len) as total_bytes by sourcetype |eval MB=total_bytes/pow(1024,2)| stats sum(MB)

I want to convert it in trend line.

I want to show this for today.

what changes are required in my query

Can you guide me in that.

ITWhisperer · ‎02-26-2021

Your saved search only returns a single value with no time component so you don't have anything to trend against

aditsss · ‎02-26-2021

@ITWhisperer

I want to convert it into trend. I don't want sum now .

Can I used timechart.

Can you guide me on that.

ITWhisperer · ‎02-26-2021

How have you done trends in the past? What do you want to base the trend on? What time periods do you want?

aditsss · ‎02-26-2021

@ITWhisperer

I want to use this query

index="abc*" OR index="xyz*" | eval raw_len=len(_raw) | stats sum(raw_len) as total_bytes by sourcetype |eval MB=total_bytes/pow(1024,2)

How can I make this as trendline on time bases

ITWhisperer · ‎02-26-2021

You know how to do trends as you have demonstrated in the past e.g. https://community.splunk.com/t5/Dashboards-Visualizations/How-to-display-total-counts-for-SUCCESS-AN...

How to add trend line in saved search

chart

simple XML

timechart

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!