Dashboards & Visualizations

Single value with trend to compare the results of the current week to previous week

Engager

Hi everyone!

I have the following single value with trend:

<single>
   <search>
        <query>type"something" abc="$xyz$" res!=220
                    | timechart sum(field1) as Count span=7d 
        </query>
        <earliest>-7d@d</earliest>
        <latest>now</latest>
    </search>
    <option name="trendInterval">-7d</option>
    <option name="colorBy">trend</option>
    <option name="useColors">1</option>       
    <option name="showSparkline">1</option>
    <option name="underLabel">Compared to a week before</option>
    <option name="drilldown">all</option>
 </single>

Now what i wanna have is the comparison between the accumulative results of the current week to the previous week. However the query compares only the results of the current day to the previous week instead of the sum of the results received in the current week, up to the current day (Example: Let's assume today is Wednesday and i want to compare the sum of the results of Monday, Tuesday and Wednesday combined, to the week before, not just Wednesday. What i mean by "current week" can also be described as the "selected week" regarding to the time token value)

Thanks in advance!

0 Karma
1 Solution

SplunkTrust
SplunkTrust

@uveys

Can you please try by changing search:

type"something" abc="$xyz$" res!=220
                     | timechart sum(field1) as Count span=w

2nd

 <earliest>-2w@w</earliest>
 <latest>now</latest>

3rd

 <option name="trendInterval">w</option>

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

@uveys

Can you please try by changing search:

type"something" abc="$xyz$" res!=220
                     | timechart sum(field1) as Count span=w

2nd

 <earliest>-2w@w</earliest>
 <latest>now</latest>

3rd

 <option name="trendInterval">w</option>

View solution in original post

0 Karma

Engager

Thanks for the suggestion! The value is the same as before (which is the correct value, because today is Monday and the comparison works either way) but the trend value disappears with this optimization. Besides if i select the previous week on dropdown, the value doesn't change, due to not using the global time token

0 Karma

SplunkTrust
SplunkTrust

@uveys

I think with below changes it is working for me so for you also.

Splunk considers Sunday as the first day of the week. As your week starts with Monday I suggest you change in search earliest.

type"something" abc="$xyz$" res!=220 earliest=-1w@w1 | timechart sum(field1) as Count span=w

This will start the search by considering Monday as week start days.

For comparison, just for testing purpose and our searc hwill return only 2 rows, remove trendInterval option.

For: Besides if i select the previous week on dropdown, the value doesn't change, due to not using the global time token : You can mention global time picker in earliest latest to referesh panel but it will not inpact result as we set earliest in search..

Just sharing my sample code:

<panel>
      <title>ABCD</title>
      <single>
        <search>
          <query>index=_internal component="*" earliest=-1w@w1 | timechart count span=w</query>
          <earliest>$field1.earliest$</earliest>
          <latest>$field1.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
         <option name="colorBy">trend</option>
         <option name="useColors">1</option>       
         <option name="showSparkline">1</option>
         <option name="underLabel">Compared to a week before</option>
         <option name="drilldown">all</option>
      </single>
    </panel>
0 Karma

Engager

I don't quite understand the usage of

       <earliest>$field1.earliest$</earliest>
       <latest>$field1.latest$</latest>

Is that the same field that i'm doing the timechart sum operation with? If yes, i get the following error message: "Search process is waiting for input". I also tried it with your exact sample code, with the aforementioned field, the result is still the same

0 Karma

SplunkTrust
SplunkTrust

@uveys

$field1.earliest$ is my timerage token.. You have to use here your timerange token name.,

0 Karma

Engager

Thanks kamlesh_vangela, it works now!
Best Regards

0 Karma

SplunkTrust
SplunkTrust

@uveys please accept/upvote the answer if it helped!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!