Hi fellow splunkers,
My search produces a time series with two values; the trend
field indicates the number of events in the current bin, the total
field the total number of events in the time range. When using a Single Value visualization it looks like this:
What I want is to display the value of the total
field instead of the last value of the trend
field. BUT the sparkline and trend indicator should still display the values of the trend
field.
This is what I want it to look like (edited with a image editor):
Is this possible? I used an ugly hack in Splunk 6.3 which modified the updateResultState JavaScript function to achieve this, but that solution does not work anymore in 6.5 (and I don't think that was a good idea anyway).
Trendline in Single Value visualization displays last data compared to its previous value and the Trend is the difference of both. In your case -10,300 indicates that latest Data 9288 is 10,300 less than previous data i.e. 19,588. In other words chart
Option 1
If you want both trendline and Total Count easiest way would be just to assign Total Count to a token and print that as html panel before or after the Single Value visualization in the same panel.
Please let me know if you need further details on html panel.
Option 2
If you append the following addcoltotals command to your existing timechart it will give you Total in the Single Value Panel. However, since trend indicator compares final two values, it will always be 0 or positive. Trend Indicator will display the difference between Total and the trend value for the last time bucket. In this example the two values will be 105860 and +96572
index=_internal
| timechart span=1m last(total) AS total
| addcoltotals trend labelfield=_time
Trendline in Single Value visualization displays last data compared to its previous value and the Trend is the difference of both. In your case -10,300 indicates that latest Data 9288 is 10,300 less than previous data i.e. 19,588. In other words chart
Option 1
If you want both trendline and Total Count easiest way would be just to assign Total Count to a token and print that as html panel before or after the Single Value visualization in the same panel.
Please let me know if you need further details on html panel.
Option 2
If you append the following addcoltotals command to your existing timechart it will give you Total in the Single Value Panel. However, since trend indicator compares final two values, it will always be 0 or positive. Trend Indicator will display the difference between Total and the trend value for the last time bucket. In this example the two values will be 105860 and +96572
index=_internal
| timechart span=1m last(total) AS total
| addcoltotals trend labelfield=_time
That's what I thought. I was hoping this could be done in a single visualization. Will try to create a custom visualization based on the Single Value visualization... otherwise I'll have to go with Option 1.
Hi krdo,
I suppose that there is something more in your request, because the easiest way to solve your problem is to change your search and display only the requested value:
index=_internal
| evenstats count AS total
| timechart span=1m last(total) AS total
every way, if you want to maintain your search, you could insert in your Single Value Panel options <fields> total</fields>
In this way is displayed only the total value.
Bye.
Giuseppe
Using field or modifying the search will also change the sparkline and trend indicator - but i want to change the large/displayed value only (marked with red box in second screenshot).
Hi krdo,
If I understood: you would have "total" in the single value and "trend" in trendline, correct?
If this is your desire, I don't think that it's possible, you could create two different panels: one with the single value (totale) and one with trendline (trend).
Bye.
Giuseppe
Yes, that's what I'm trying to do. Seems to be impossible in a single visualization.
This worked for me - gives change and the total in a single panel
|tstats count where index=office365 by _time span=15m | streamstats sum(count) AS TOTAL | fields TOTAL