Dashboards & Visualizations

How to add trend line in saved search

aditsss
Motivator

Hi Everyone,

I have one panel which consists of saved search.

The query is below:

|savedsearch "splunk_data_last_24_hours"

 

<panel>
<single>
<search>
<query>|savedsearch "splunk_data_last_24_hours"</query>
<earliest>$earliest$</earliest>
<latest>$latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="colorBy">value</option>
<option name="colorMode">none</option>
<option name="drilldown">none</option>
<option name="numberPrecision">0.00</option>
<option name="rangeColors">["0x53a051","0x53a051"]</option>
<option name="rangeValues">[0.175]</option>
<option name="refresh.display">progressbar</option>
<option name="showSparkline">1</option>
<option name="showTrendIndicator">1</option>
<option name="trellis.enabled">0</option>
<option name="trellis.scales.shared">1</option>
<option name="trellis.size">medium</option>
<option name="trendColorInterpretation">standard</option>
<option name="trendDisplayMode">absolute</option>
<option name="underLabel">Splunk Data - Last 24 hours</option>
<option name="unit">GB</option>
<option name="unitPosition">after</option>
<option name="useColors">1</option>
<option name="useThousandSeparators">0</option>
</single>
</panel>

How can I add trend here.

Can anyone guide me on this.

Thanks in advance

Labels (3)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

What does your saved search return?

0 Karma

aditsss
Motivator

@ITWhisperer 

This is the base query for saved search

 

index="abc*" OR index="xyz*" | eval raw_len=len(_raw) | stats sum(raw_len) as total_bytes by sourcetype |eval MB=total_bytes/pow(1024,2)| stats sum(MB)

I want to convert it in trend line. 

I want to show this for today.

what changes are required in my query

Can you guide me in that.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Your saved search only returns a single value with no time component so you don't have anything to trend against

0 Karma

aditsss
Motivator

@ITWhisperer 

I want to convert it into trend. I don't want sum now .

Can I used timechart.

Can you guide me on that.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

How have you done trends in the past? What do you want to base the trend on? What time periods do you want?

0 Karma

aditsss
Motivator

@ITWhisperer 

I want to use this query

index="abc*" OR index="xyz*" | eval raw_len=len(_raw) | stats sum(raw_len) as total_bytes by sourcetype |eval MB=total_bytes/pow(1024,2)

How can I make this as trendline on time bases

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

You know how to do trends as you have demonstrated in the past e.g. https://community.splunk.com/t5/Dashboards-Visualizations/How-to-display-total-counts-for-SUCCESS-AN...

 

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...