Dashboards & Visualizations

Is it possible to use different fields for trend and displayed value in a Single Value visualization?

krdo
Communicator

Hi fellow splunkers,

My search produces a time series with two values; the trend field indicates the number of events in the current bin, the total field the total number of events in the time range. When using a Single Value visualization it looks like this:

alt text

What I want is to display the value of the total field instead of the last value of the trend field. BUT the sparkline and trend indicator should still display the values of the trend field.

This is what I want it to look like (edited with a image editor):

alt text

Is this possible? I used an ugly hack in Splunk 6.3 which modified the updateResultState JavaScript function to achieve this, but that solution does not work anymore in 6.5 (and I don't think that was a good idea anyway).

0 Karma
1 Solution

niketn
Legend

Trendline in Single Value visualization displays last data compared to its previous value and the Trend is the difference of both. In your case -10,300 indicates that latest Data 9288 is 10,300 less than previous data i.e. 19,588. In other words chart

Option 1
If you want both trendline and Total Count easiest way would be just to assign Total Count to a token and print that as html panel before or after the Single Value visualization in the same panel.

Please let me know if you need further details on html panel.

Option 2
If you append the following addcoltotals command to your existing timechart it will give you Total in the Single Value Panel. However, since trend indicator compares final two values, it will always be 0 or positive. Trend Indicator will display the difference between Total and the trend value for the last time bucket. In this example the two values will be 105860 and +96572

index=_internal
 | timechart span=1m last(total) AS total
 | addcoltotals trend labelfield=_time
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma

niketn
Legend

Trendline in Single Value visualization displays last data compared to its previous value and the Trend is the difference of both. In your case -10,300 indicates that latest Data 9288 is 10,300 less than previous data i.e. 19,588. In other words chart

Option 1
If you want both trendline and Total Count easiest way would be just to assign Total Count to a token and print that as html panel before or after the Single Value visualization in the same panel.

Please let me know if you need further details on html panel.

Option 2
If you append the following addcoltotals command to your existing timechart it will give you Total in the Single Value Panel. However, since trend indicator compares final two values, it will always be 0 or positive. Trend Indicator will display the difference between Total and the trend value for the last time bucket. In this example the two values will be 105860 and +96572

index=_internal
 | timechart span=1m last(total) AS total
 | addcoltotals trend labelfield=_time
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

krdo
Communicator

That's what I thought. I was hoping this could be done in a single visualization. Will try to create a custom visualization based on the Single Value visualization... otherwise I'll have to go with Option 1.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi krdo,
I suppose that there is something more in your request, because the easiest way to solve your problem is to change your search and display only the requested value:

index=_internal
| evenstats count AS total
| timechart span=1m last(total) AS total

every way, if you want to maintain your search, you could insert in your Single Value Panel options <fields> total</fields>
In this way is displayed only the total value.
Bye.
Giuseppe

0 Karma

krdo
Communicator

Using field or modifying the search will also change the sparkline and trend indicator - but i want to change the large/displayed value only (marked with red box in second screenshot).

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi krdo,
If I understood: you would have "total" in the single value and "trend" in trendline, correct?
If this is your desire, I don't think that it's possible, you could create two different panels: one with the single value (totale) and one with trendline (trend).
Bye.
Giuseppe

0 Karma

krdo
Communicator

Yes, that's what I'm trying to do. Seems to be impossible in a single visualization.

0 Karma

robtun1
Explorer

This worked for me - gives change and the total in a single panel

 

|tstats count where index=office365 by _time span=15m | streamstats sum(count) AS TOTAL | fields TOTAL

 

 

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...