I have a time chart showing counts over a period of time using a bar chart. How to show the difference between the values on a bar? I want to display a hike(+/-) of the current count over the last count value. Please help.
Let me re-phrase what is the scenario. In our application, we run a data report utility on demand which generates loggers of total count files in the application. While making a Splunk dashboard, I want to show the total files count generated over the period of time. This I a doing using timechart. However, I also wanted to show total file count growth compared to the last total count. The challenge I am facing here is, we don't have any specific frequency (1d, or 1week, 1month) for utility execution. The utility may be invoked 2-3 times in a day or once in 2 days from end users. The goal is to showcase total asset count whenever utility is executed and how much is the growth after last execution. I found the "delta" keyword which may help me but still struggling to leverage it to get exact result.
The end goal is to show a stacked bar chart with the upper stack representing the count growth and lower stack representing the total count.
Looks like you have a few possible solutions to your question. If one of them provided a working solution, please don't forget to click "Accept" below the best answer to resolve this post. If you still need help, please leave a comment. Don’t forget to upvote anything that was helpful too.
Do your timechart and pipe it to another timechart. Here is a run-anywhere example:
index=_* sourcetype=splunkd earliest=-24h latest=now | timechart span=1h count BY group | untable _time group count | streamstats current=f last(count) AS prev_count BY group | eval diff = coalesce(prev_count - count, 0)
Assuming the previous value you mentioned is the previous value, you can use
streamstats to do this like so
| streamstats window=1 latest(<FIELD_NAME>)
If you meant you want to see the difference between the value today at this time and yesterday at the same time, you use
timewrap like this
| timechart ... | timewrap 1d