Re: How to add trend line in saved search

aditsss · ‎02-25-2021

Hi Everyone,

I have one panel which consists of saved search.

The query is below:

|savedsearch "splunk_data_last_24_hours"

<panel>
<single>
<search>
<query>|savedsearch "splunk_data_last_24_hours"</query>
<earliest>$earliest$</earliest>
<latest>$latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="colorBy">value</option>
<option name="colorMode">none</option>
<option name="drilldown">none</option>
<option name="numberPrecision">0.00</option>
<option name="rangeColors">["0x53a051","0x53a051"]</option>
<option name="rangeValues">[0.175]</option>
<option name="refresh.display">progressbar</option>
<option name="showSparkline">1</option>
<option name="showTrendIndicator">1</option>
<option name="trellis.enabled">0</option>
<option name="trellis.scales.shared">1</option>
<option name="trellis.size">medium</option>
<option name="trendColorInterpretation">standard</option>
<option name="trendDisplayMode">absolute</option>
<option name="underLabel">Splunk Data - Last 24 hours</option>
<option name="unit">GB</option>
<option name="unitPosition">after</option>
<option name="useColors">1</option>
<option name="useThousandSeparators">0</option>
</single>
</panel>

How can I add trend here.

Can anyone guide me on this.

Thanks in advance

ITWhisperer · ‎02-25-2021

What does your saved search return?

aditsss · ‎02-26-2021

@ITWhisperer

This is the base query for saved search

index="abc*" OR index="xyz*" | eval raw_len=len(_raw) | stats sum(raw_len) as total_bytes by sourcetype |eval MB=total_bytes/pow(1024,2)| stats sum(MB)

I want to convert it in trend line.

I want to show this for today.

what changes are required in my query

Can you guide me in that.

ITWhisperer · ‎02-26-2021

Your saved search only returns a single value with no time component so you don't have anything to trend against

aditsss · ‎02-26-2021

@ITWhisperer

I want to convert it into trend. I don't want sum now .

Can I used timechart.

Can you guide me on that.

ITWhisperer · ‎02-26-2021

How have you done trends in the past? What do you want to base the trend on? What time periods do you want?

aditsss · ‎02-26-2021

@ITWhisperer

I want to use this query

index="abc*" OR index="xyz*" | eval raw_len=len(_raw) | stats sum(raw_len) as total_bytes by sourcetype |eval MB=total_bytes/pow(1024,2)

How can I make this as trendline on time bases

ITWhisperer · ‎02-26-2021

You know how to do trends as you have demonstrated in the past e.g. https://community.splunk.com/t5/Dashboards-Visualizations/How-to-display-total-counts-for-SUCCESS-AN...

How to add trend line in saved search

chart

simple XML

timechart

Tech Talk Recap | Mastering Threat Hunting

Observability for AI Applications: Troubleshooting Latency

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

Are you a member of the Splunk Community?

How to add trend line in saved search

chart

simple XML

timechart

Tech Talk Recap | Mastering Threat Hunting

Observability for AI Applications: Troubleshooting Latency

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?