I would like to show something like that :
59/45
And color result with result of division :
<row>
<panel>
<single>
<title>My title</title>
<search>
<query> index=myIndex earliest=-30m latest=now | eval lastweek="oof"
| append [search index=myIndex earliest=-30m@-1w latest=-1w | eval lastweek="foo" ]
| eval useCase=myUseCase | where useCase="filter"
| stats count(eval(lastweek="oof")) as nbNow, count(eval(lastweek="foo")) as nbLastWeek by useCase
| eval result=nbNow."/".nbLastWeek | eval percent=nbNow/nbLastWeek
| rangemap field=percent low=1.1-1.5 guarded=0.8-1.1 high=0.6-0.8 elevated=0.4-0.6 severe=0-0.4 default=low
| fields percent, result
</query>
<earliest>-60m@m</earliest>
<latest>now</latest>
</search>
<option name="drilldown">none</option>
<option name="colorBy">value</option>
<option name="colorMode">none</option>
<!--<option name="field">result</option>-->
<option name="numberPrecision">0.000</option>
<option name="rangeColors">["0x65a637","0x6db7c6","0xf7bc38","0xf58f39","0xd93f3c"]</option>
<option name="rangeValues">[0.4,0.6,0.8,1.1]</option>
<option name="showSparkline">1</option>
<option name="showTrendIndicator">1</option>
<option name="trendColorInterpretation">standard</option>
<option name="trendDisplayMode">absolute</option>
<option name="unitPosition">before</option>
<option name="useColors">1</option>
<option name="useThousandSeparators">1</option>
<option name="linkView">search</option>
</single>
</panel>
</row>
I want to see result (in field) and color of value with percent.
I try with the option "field" but if I select result, I see the result without color.
Any ideas ?
Thanks in advance.
I see some performance issues with the way you have correlated two timelines
1) If you want to compare last 30 min today vs last 30 minutes 7 days back. you should try the following earliest
and latest
time selectors:
now : earliest=-30m latest=@s
last week: earliest=-1d@s-30m latest=-1d@s
2) Through append you are stitching events from two different timelines and then applying a filter on combined result. Since the filed myUseCase="filter"
should exist on both the series, you can apply the filter in base search for both. i.e.
index=myIndex myUseCase="filter" earliest=-30m latest=@s
And
search index=myIndex myUseCase="filter" earliest=-1d@s-30m latest=-1d@s
3) Since you are interested in Single Value result, it is better to apply transformation before correlating the events i.e. stats should be performed in each base search and the combined results can be correlated using appendcols
instead of append
index=myIndex myUseCase="filter" earliest=-30m latest=@s
| stats count as nbNow
| appendcols
[search index=myIndex myUseCase="filter" earliest=-1d@s-30m latest=-1d@s
| stats count as nbLastWeek]
4) Finally, all you need to do is replace the percent
value used for deciding range colors with the string result
to e displayed as single value:
| eval percent=replace(percent,percent,result)
PS: Splunk does not officially support rangemap for setting color ranges. So once you try to edit Single Value Colors through UI Edit mode, then colors might reset, since underlying color ranges values get overridden in Simple XML configuration. (Refer to documentation: https://docs.splunk.com/Documentation/Splunk/latest/Viz/SingleValueFormatting#Migration_for_rangemap...)
Following is a run anywhere dashboard code snippet based on Splunk's _internal
index that you can adopt for your use case:
<row>
<panel>
<single>
<search>
<query>index="_internal" sourcetype="splunkd" earliest=-30m latest=@s
| stats count as nbNow
| appendcols
[search index="_internal" sourcetype="splunkd" earliest=-1d@s-30m latest=-1d@s
| stats count as nbLastWeek]
| eval result=nbNow."/".nbLastWeek
| eval percent=nbNow/nbLastWeek
| table percent result
| rangemap field=percent low=1.1-1.5 guarded=0.8-1.1 high=0.6-0.8 elevated=0.4-0.6 severe=0-0.4 default=low
| eval percent=replace(percent,percent,result)
</query>
</search>
<option name="colorBy">value</option>
<option name="colorMode">none</option>
<option name="drilldown">none</option>
<option name="numberPrecision">0.0</option>
<option name="rangeColors">["0x65a637","0x6db7c6","0xf7bc38","0xf58f39","0xd93f3c"]</option>
<option name="rangeValues">[0,30,70,100]</option>
<option name="showSparkline">1</option>
<option name="showTrendIndicator">1</option>
<option name="trellis.enabled">0</option>
<option name="trellis.scales.shared">1</option>
<option name="trellis.size">medium</option>
<option name="trendColorInterpretation">standard</option>
<option name="trendDisplayMode">absolute</option>
<option name="unitPosition">after</option>
<option name="useColors">0</option>
<option name="useThousandSeparators">1</option>
</single>
</panel>
</row>
Please try out and confirm!
@niketnilay
Thanks a lot for your answer
1 - I modify my query to take your comment on latest/earliest.
2 - I can't do this (myUseCase="filter" in first search part) because I must make an eval to find myUseCase but I understant what you mean. I think about change my query to make all in first part...
3 - I see problem with this version : I must repeat myUseCase 2 times. And I would like to make 16 "single"s in my dashboard. Repeating twice is problematic and tedious.
4 - Ok for replace.... But it doesn't work...
=> Finally it works. I must remove rangeColors and rangeValues for the good result.
<row>
<panel>
<single>
<title>Transactionsss</title>
<search>
<query>index=myIndex filter1 earliest=-30m latest=@s
| eval useCase=.....
| where useCase=myUseCase
| stats count as nbNow
| appendcols [search index=myIndex filter1 earliest=-1w@s-30m latest=-1w@s
| eval useCase=.....
| where useCase=myUseCase
| stats count as nbLastWeek
]
| eval result=nbNow."/".nbLastWeek
| eval percent=nbNow/nbLastWeek
| table percent result
| rangemap field=percent low=1.1-1.5 guarded=0.8-1.1 high=0.6-0.8 elevated=0.4-0.6 severe=0-0.4 default=low
| eval percent=replace(percent,percent,result)</query>
</search>
<option name="drilldown">none</option>
<option name="colorBy">value</option>
<option name="colorMode">none</option>
<option name="numberPrecision">0.0</option>
<option name="showSparkline">1</option>
<option name="showTrendIndicator">1</option>
<option name="trellis.enabled">0</option>
<option name="trellis.scales.shared">1</option>
<option name="trellis.size">medium</option>
<option name="trendColorInterpretation">standard</option>
<option name="trendDisplayMode">absolute</option>
<option name="unitPosition">after</option>
<option name="useColors">0</option>
<option name="useThousandSeparators">1</option>
<option name="linkView">search</option>
</single>
</panel>
</row>
Sorry I can't insert img to show you.
I see some performance issues with the way you have correlated two timelines
1) If you want to compare last 30 min today vs last 30 minutes 7 days back. you should try the following earliest
and latest
time selectors:
now : earliest=-30m latest=@s
last week: earliest=-1d@s-30m latest=-1d@s
2) Through append you are stitching events from two different timelines and then applying a filter on combined result. Since the filed myUseCase="filter"
should exist on both the series, you can apply the filter in base search for both. i.e.
index=myIndex myUseCase="filter" earliest=-30m latest=@s
And
search index=myIndex myUseCase="filter" earliest=-1d@s-30m latest=-1d@s
3) Since you are interested in Single Value result, it is better to apply transformation before correlating the events i.e. stats should be performed in each base search and the combined results can be correlated using appendcols
instead of append
index=myIndex myUseCase="filter" earliest=-30m latest=@s
| stats count as nbNow
| appendcols
[search index=myIndex myUseCase="filter" earliest=-1d@s-30m latest=-1d@s
| stats count as nbLastWeek]
4) Finally, all you need to do is replace the percent
value used for deciding range colors with the string result
to e displayed as single value:
| eval percent=replace(percent,percent,result)
PS: Splunk does not officially support rangemap for setting color ranges. So once you try to edit Single Value Colors through UI Edit mode, then colors might reset, since underlying color ranges values get overridden in Simple XML configuration. (Refer to documentation: https://docs.splunk.com/Documentation/Splunk/latest/Viz/SingleValueFormatting#Migration_for_rangemap...)
Following is a run anywhere dashboard code snippet based on Splunk's _internal
index that you can adopt for your use case:
<row>
<panel>
<single>
<search>
<query>index="_internal" sourcetype="splunkd" earliest=-30m latest=@s
| stats count as nbNow
| appendcols
[search index="_internal" sourcetype="splunkd" earliest=-1d@s-30m latest=-1d@s
| stats count as nbLastWeek]
| eval result=nbNow."/".nbLastWeek
| eval percent=nbNow/nbLastWeek
| table percent result
| rangemap field=percent low=1.1-1.5 guarded=0.8-1.1 high=0.6-0.8 elevated=0.4-0.6 severe=0-0.4 default=low
| eval percent=replace(percent,percent,result)
</query>
</search>
<option name="colorBy">value</option>
<option name="colorMode">none</option>
<option name="drilldown">none</option>
<option name="numberPrecision">0.0</option>
<option name="rangeColors">["0x65a637","0x6db7c6","0xf7bc38","0xf58f39","0xd93f3c"]</option>
<option name="rangeValues">[0,30,70,100]</option>
<option name="showSparkline">1</option>
<option name="showTrendIndicator">1</option>
<option name="trellis.enabled">0</option>
<option name="trellis.scales.shared">1</option>
<option name="trellis.size">medium</option>
<option name="trendColorInterpretation">standard</option>
<option name="trendDisplayMode">absolute</option>
<option name="unitPosition">after</option>
<option name="useColors">0</option>
<option name="useThousandSeparators">1</option>
</single>
</panel>
</row>
Please try out and confirm!
@mclane1, if the above answer has resolved your issue, please Accept the Answer to mark this question as answered 🙂
I must remove rangeColors and rangeValues for the good result.
@mclane1, sorry I might have missed from my example! Thanks for correction!