Solved: Re: Single Value, trellis, and search

eholz1 · ‎03-16-2023

Hello all,

I have three individual searches for a single value viz. the value for each viz is a sum of a field.

I have bytes, bytes_in, and bytes_out. Each search is | stats sum(bytes) as Total, sum(bytes_in) as In, and sum(bytes_out) as Out

So 3 searches for each field, and a single value viz for each field. I have looked at the trellis viz, but it is not much help. My actual spl is using the same formula for each field: index=squid
| stats sum(bytes_in) as TotalBytes
| eval gigabytes=TotalBytes/1024/1024/1024
| rename gigabytes as "Bytes In"
| table "Bytes In"

Is there some way to put all three stats commands in the same search, and maybe the trellis can get each calculation? I looked at trying to put each single value in a table 3 column by one row, etc

How can this be accomplished.

Thanks again,

eholz1

yeahnah · ‎03-16-2023

Hi @eholz1

Here's an example of how to do it...

| makeresults
| eval _raw="bytes, bytes_in, bytes_out
9999999999, 5555555555, 4444444444
9999999999, 4444444444, 5555555555"
| multikv forceheader=1
``` ignore above - just creating dummy events ```
| stats sum(bytes) as Total
        sum(bytes_in) as In
        sum(bytes_out) as Out
| foreach Total In Out [ eval <<FIELD>>_gb=('<<FIELD>>'/1024/1024/1024) ]
| fields *gb

Hope it helps

View solution in original post

yeahnah · ‎03-16-2023

Hi @eholz1

Here's an example of how to do it...

| makeresults
| eval _raw="bytes, bytes_in, bytes_out
9999999999, 5555555555, 4444444444
9999999999, 4444444444, 5555555555"
| multikv forceheader=1
``` ignore above - just creating dummy events ```
| stats sum(bytes) as Total
        sum(bytes_in) as In
        sum(bytes_out) as Out
| foreach Total In Out [ eval <<FIELD>>_gb=('<<FIELD>>'/1024/1024/1024) ]
| fields *gb

Hope it helps

eholz1 · ‎03-16-2023

One more queston, this works great. Is there a way I can set a static color based on the "title" of the trellis viz?

i.e. In_gb is green, Out_gb is blue, etc.

Thanks again for an excellent solution.

I would like to have a different color for each result (in block mode)

thanks again,

eholz1

yeahnah · ‎03-16-2023

I don't believe so, not by any standard means, at least (custom javascript anyone?). The use of colors is based on the values only.

If you want something like that then I suggest just using single values panels side by side, like this example.

here's the run anywhere dashboard code for the example above

<dashboard>
  <label>sv panel colored</label>
  <search id="base_search">
    <query>| makeresults
| eval _raw="bytes, bytes_in, bytes_out
9999999999, 5555555555, 4444444444
9999999999, 4444444444, 5555555555"
| multikv forceheader=1
| stats sum(bytes) as Total
        sum(bytes_in) as In
        sum(bytes_out) as Out
| foreach Total In Out [ eval &lt;&lt;FIELD&gt;&gt;_gb=('&lt;&lt;FIELD&gt;&gt;'/1024/1024/1024) ]
| fields *gb
    </query>
    <earliest>-15m</earliest>
    <latest>now</latest>
    <sampleRatio>1</sampleRatio>
  </search>
  <row>
    <panel>
      <html>
        <style>
        #trellis {
          width:40% !important;
        }
        #sv_panel1, #sv_panel2, #sv_panel3 {
          width:20% !important;
        }
       </style>
     </html>
    </panel>
  </row>
  <row>
    <panel id="trellis">
      <title>trellis</title>
      <single>
        <search base="base_search">
          <query/>
        </search>
        <option name="colorBy">value</option>
        <option name="colorMode">block</option>
        <option name="drilldown">none</option>
        <option name="numberPrecision">0</option>
        <option name="rangeColors">["0x53a051","0x0877a6","0xf8be34","0xf1813f","0xdc4e41"]</option>
        <option name="rangeValues">[0,30,70,100]</option>
        <option name="showSparkline">1</option>
        <option name="showTrendIndicator">1</option>
        <option name="trellis.enabled">1</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
        <option name="trendColorInterpretation">standard</option>
        <option name="trendDisplayMode">absolute</option>
        <option name="unitPosition">after</option>
        <option name="useColors">1</option>
        <option name="useThousandSeparators">1</option>
      </single>
    </panel>
    <panel id="sv_panel1">
      <single>
        <title>In_gb</title>
        <search base="base_search">
          <query>fields In_gb</query>
        </search>
        <option name="colorBy">value</option>
        <option name="colorMode">block</option>
        <option name="drilldown">none</option>
        <option name="numberPrecision">0</option>
        <option name="rangeColors">["0x53a051","0x53a051"]</option>
        <option name="rangeValues">[0]</option>
        <option name="showSparkline">1</option>
        <option name="showTrendIndicator">1</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
        <option name="trendColorInterpretation">standard</option>
        <option name="trendDisplayMode">absolute</option>
        <option name="unitPosition">after</option>
        <option name="useColors">1</option>
        <option name="useThousandSeparators">1</option>
      </single>
    </panel>
    <panel id="sv_panel2">
      <single>
        <title>Out_gb</title>
        <search base="base_search">
          <query>fields Out_gb</query>
        </search>
        <option name="colorBy">value</option>
        <option name="colorMode">block</option>
        <option name="drilldown">none</option>
        <option name="numberPrecision">0</option>
        <option name="rangeColors">["0x006d9c","0x006d9c"]</option>
        <option name="rangeValues">[0]</option>
        <option name="showSparkline">1</option>
        <option name="showTrendIndicator">1</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
        <option name="trendColorInterpretation">standard</option>
        <option name="trendDisplayMode">absolute</option>
        <option name="unitPosition">after</option>
        <option name="useColors">1</option>
        <option name="useThousandSeparators">1</option>
      </single>
    </panel>
    <panel id="sv_panel3">
      <single>
        <title>Total_gb</title>
        <search base="base_search">
          <query>fields Total_gb</query>
        </search>
        <option name="colorBy">value</option>
        <option name="colorMode">block</option>
        <option name="drilldown">none</option>
        <option name="numberPrecision">0</option>
        <option name="rangeColors">["0xf8be34","0xf8be34"]</option>
        <option name="rangeValues">[0]</option>
        <option name="showSparkline">1</option>
        <option name="showTrendIndicator">1</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
        <option name="trendColorInterpretation">standard</option>
        <option name="trendDisplayMode">absolute</option>
        <option name="unitPosition">after</option>
        <option name="useColors">1</option>
        <option name="useThousandSeparators">1</option>
      </single>
    </panel>
  </row>
</dashboard>

eholz1 · ‎03-17-2023

Wow, Thanks again for the input. I appreciate it.

I will review, and figure out what would be nice to use.

thanks for taking the time to do this.

eholz1

eholz1 · ‎03-16-2023

Wow thanks for fast reply, I will try it out,

thanks again,

eholz1

Is there some way to put all three stats commands in the same search, and maybe the trellis can get each calculation?

dashboard

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

Improve Data Pipelines Using Splunk Data Management

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?