How would I avoid negative value in trend indicato...

ojtoids · ‎08-04-2022

I am trying to build a trending dashboard of the count of tickets we get. With the below query, I am trying to display the increase/decrease in the count of tickets we got for each type for the past two weeks.

index=tickets
Status IN ("Open", "Pending") earliest=-14D@w0 latest=@w0
| dedup ticketid 
| eval ticket_type=case(like(Tags,"%tag1%"),"Type1",
like(Tags,"%tag2%") AND !like(Tags,"%tag1%"), "Type2",
like(Tags,"%tag3%") AND !like(Tags,"%tag1%") AND !like(Tags,"%tag2%") , "Type3") 
| timechart usenull=f span=1w count by ticket_type

The problem is whenever we have more count(tickets) for the previous week, it shows the data with a "-" minus sign.

Question:

1. Not able to understand why a "-" would be there for a count.
2. Is there a way to suppress the "-" sign ?

dural_yyz · ‎08-04-2022

I'm sure there is a math option to turn the negative number to the same value on the positive side of the scale. However, once you change the negative to a positive you will change the direction of the arrows. It would constantly appear as though your period over period value is increasing.

TL;DR: The direction of the arrow is directly tied to a positive or negative value.

You can just do the single value without trend but I have a feeling that is not what you are after.

ojtoids · ‎08-04-2022

Yes, having a single value would defeat its purpose of showing trend comparison to last week.

How would I avoid negative value in trend indicator when using single value visualization?

timechart

trellis layout

What the End of Support for Splunk Add-on Builder Means for You

Solve, Learn, Repeat: New Puzzle Channel Now Live

Building Reliable Asset and Identity Frameworks in Splunk ES

Are you a member of the Splunk Community?