- Find Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Re: How to show trend in a dashboard that uses a s...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
My dashboard has various panels that all use one shared time picker at the top of the screen.
I want my first panel to show the total events, with a trend.
Modifying the panel's own time range, even putting the earliest and latest, doesn't work, because the time picker at the top overrides it.
Ideally, the trend should also adapt to the time picker, such that if the time picker is set to "Last 5 Minutes", the trend will show total events from the last 5 minutes compared to the previous 5 minutes.
If the time picker is set to "Last Hour", the trend should show total events from the last hour compared to the previous hour and so on.
Is this possible?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@splunklearner1234 take out span=5m from your single value chart query and span will be adjusted dynamically based on time selected in the time picker. Refer to Splunk Documentation on Default Time Spans: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Timechart#Default_time_spans
If you want your own time span depending on time selected not the default one please let us know what span needs to be applied under various durations between earliest and latest time.
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@splunklearner1234 take out span=5m from your single value chart query and span will be adjusted dynamically based on time selected in the time picker. Refer to Splunk Documentation on Default Time Spans: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Timechart#Default_time_spans
If you want your own time span depending on time selected not the default one please let us know what span needs to be applied under various durations between earliest and latest time.
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello niketnilay, that perfectly solved my problem, well done for understanding my poor explanation. Now I don't even need a separate time picker for my single value trend visual. I did not know about those default times so that's very helpful, thank you.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@splunklearner1234 I am glad the solution worked for you. I have converted my comment to answer. Please accept the same to mark this question as answered.
Do think about Splunk Answers for your Splunk queries. Also as stated by Gregg, for us to assist you better post more details to your question with what you have and what you want with data sample and code snippet.
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I managed putting in a manual trendline just by doing "source=source_name | timechart span=5m count", I just have to make sure not to go beyond the earliest time I have indexed, and refer to the panel's own time frame picker token in the time range setting. I've not yet managed to automatically adjust the trend time depending on the main time frame used for the other panels.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Add this to your existing search:
... | addinfo | rename info_* AS _info_*
Then store Timepicker details in tokens with XML like this:
<eval token="trend_span">(_info_max_time - _info_min_time)</eval>
<eval token="trend_earliest">_info_min_time - (_info_max_time - _info_min_time)</eval>
<eval token="trend_latest">_info_max_time</eval>
Then to build your trendlines just do this in another panel:
index="foo" sourcetype="bar" earliest=$trend_earliest$ latest=$trend_latest$ | bin _time span=$trend_span$ | stats count BY _time
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don't quite understand this. Will this give me two panels? Is it possible to do this using search strings only?
By the way not sure if it was clear, but I have a single value visualisation which I want to show the trend such as "50000 ↓450" , I don't have a chart.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am completely baffled at this point as to what you really need. I always say the same thing:
1: Show us your sample events.
2: Show us a mockup of your desired tabular output
3: Show us a mockup of your desired visualization
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi woodcock, sorry for my poor explanation. niketnilay has answered my question, thanks for your help though!
Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey
Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...
Monitoring Amazon Elastic Kubernetes Service (EKS)
