Dashboards & Visualizations
Highlighted

How to show trend in a dashboard that uses a shared time picker

Path Finder

My dashboard has various panels that all use one shared time picker at the top of the screen.
I want my first panel to show the total events, with a trend.

Modifying the panel's own time range, even putting the earliest and latest, doesn't work, because the time picker at the top overrides it.
Ideally, the trend should also adapt to the time picker, such that if the time picker is set to "Last 5 Minutes", the trend will show total events from the last 5 minutes compared to the previous 5 minutes.
If the time picker is set to "Last Hour", the trend should show total events from the last hour compared to the previous hour and so on.
Is this possible?

0 Karma
Highlighted

Re: How to show trend in a dashboard that uses a shared time picker

Esteemed Legend

Add this to your existing search:

... | addinfo | rename info_* AS _info_*

Then store Timepicker details in tokens with XML like this:

<eval token="trend_span">(_info_max_time - _info_min_time)</eval>
<eval token="trend_earliest">_info_min_time - (_info_max_time - _info_min_time)</eval>
<eval token="trend_latest">_info_max_time</eval>

Then to build your trendlines just do this in another panel:

index="foo" sourcetype="bar" earliest=$trend_earliest$ latest=$trend_latest$ | bin _time span=$trend_span$ | stats count BY _time
0 Karma
Highlighted

Re: How to show trend in a dashboard that uses a shared time picker

Path Finder

I don't quite understand this. Will this give me two panels? Is it possible to do this using search strings only?
By the way not sure if it was clear, but I have a single value visualisation which I want to show the trend such as "50000 ↓450" , I don't have a chart.

0 Karma
Highlighted

Re: How to show trend in a dashboard that uses a shared time picker

Esteemed Legend

I am completely baffled at this point as to what you really need. I always say the same thing:
1: Show us your sample events.
2: Show us a mockup of your desired tabular output
3: Show us a mockup of your desired visualization

0 Karma
Highlighted

Re: How to show trend in a dashboard that uses a shared time picker

Path Finder

Hi woodcock, sorry for my poor explanation. niketnilay has answered my question, thanks for your help though!

0 Karma
Highlighted

Re: How to show trend in a dashboard that uses a shared time picker

Path Finder

I managed putting in a manual trendline just by doing "source=source_name | timechart span=5m count", I just have to make sure not to go beyond the earliest time I have indexed, and refer to the panel's own time frame picker token in the time range setting. I've not yet managed to automatically adjust the trend time depending on the main time frame used for the other panels.

0 Karma
Highlighted

Re: How to show trend in a dashboard that uses a shared time picker

Legend

@splunklearner1234 take out span=5m from your single value chart query and span will be adjusted dynamically based on time selected in the time picker. Refer to Splunk Documentation on Default Time Spans: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Timechart#Default_time_spans

If you want your own time span depending on time selected not the default one please let us know what span needs to be applied under various durations between earliest and latest time.




| eval message="Happy Splunking!!!"


View solution in original post

0 Karma
Highlighted

Re: How to show trend in a dashboard that uses a shared time picker

Path Finder

Hello niketnilay, that perfectly solved my problem, well done for understanding my poor explanation. Now I don't even need a separate time picker for my single value trend visual. I did not know about those default times so that's very helpful, thank you.

0 Karma
Highlighted

Re: How to show trend in a dashboard that uses a shared time picker

Legend

@splunklearner1234 I am glad the solution worked for you. I have converted my comment to answer. Please accept the same to mark this question as answered.

Do think about Splunk Answers for your Splunk queries. Also as stated by Gregg, for us to assist you better post more details to your question with what you have and what you want with data sample and code snippet.




| eval message="Happy Splunking!!!"


0 Karma