- Find Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Re: Single value with trend to compare last 7 days...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Single value with trend to compare last 7 days and last 7 days before that
Hello Team,
I want to compare total count of last 7 days to the total count of 7 days before that in a single value with trend. For example, (suppose today is 15th), if the total count from 9th to 15th is 120 and total count from 1st to 8th was 50. I want to compare this and have a single value with Arrow.
I hope you have got my point. Le t me know if you need some more information
Regards
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It definitely should work; it works for me (you don't need the fields part so just drop it):
earliest=-14d@d latest=@d-1s index=_internal
| timechart span=7d count
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Woodcock. It would work but if count is zero it won't show for that week/hour/day.
Did you see a zero in your count in the results?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, even when I drop the previous week's events like this:
earliest=-14d@d latest=@d-1s index=_internal
| where _time > relative_time(now(), "-1d@d")
| timechart span=7d count
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Strange, doesn't work for me....
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am on v6.6.0.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
would you want the single value to be 120, then and just an arrow pointing up?
try something like this for a date range of the 1st through 14th:
|timechart span=7d count
if you only want the arrow, don't show the sparkline. it would just be two points anyways with just two weeks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Cmerriman,
Thanks for your response.
I managed to create a search but it is not giving me the result as expected. see below:
MY SEARCH:
earliest=-14d@d latest=@d-1s index=myindex sourcetype=mysourcetype status=success | timechart span=7d count | fields count
I'm getting the result as:
count _time
25 2017-06-09
What I'm expecting is:
count _time
0 2017-06-02
25 2017-06-09
I think the problem is if the total of the count during the week from 2nd to 8th is 0 (Zero) is doesn't provide the result for that week. Any clues how we can make that appear in the result?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
that is bizarre. i'm running a similar query on my own data. i limited a dataset so that i only had data coming back from 6/11-6/14. i ran .... earliest=-14d@d latest=@d-1s| timechart span=7d count | fields count
and got back
count _time
0 2017-06-02
17864 2017-06-09
I'm on version 6.5.1, is that the version you are on?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It all works fine for me on v6.6.0.
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
