Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Re: Splunk query compare two results
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk query compare two results
Guys,
I have the query below in simple Single Value format:
index = event_viewer "collection = PerfMon" | timechart span = 10m count as PerfMon
I need to compare the current value with the last 30 minutes and if it has a difference of more than 50% turn red, this is for values above or below.
Ex: 15:00 -> 1300
3:30 pm -> 1800
4:00 pm -> 3600
My Single Value chart must be red at exactly 16:00.
If it is not clear, please let me know.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
<form>
<fieldset submitButton="true" autoRun="true">
<input type="time" token="field1">
<label></label>
<default>
<earliest>-24h@h</earliest>
<latest>now</latest>
</default>
</input>
</fieldset>
<row>
<panel>
<table>
<search>
<query>| makeresults count=2
| streamstats count
| eval _time = if (count==2,relative_time(_time,"-2h@m"), relative_time(_time,"@m"))
| makecontinuous span=1m _time
| eval count=random() % 200
| timechart span=10m sum(count) as PerfMon
| rename COMMENT as "From here, the logic is"
| streamstats list(PerfMon) as PM window=4
| eval PM_30min=if(mvcount(PM)==4,mvindex(PM,0),NULL)
| reverse
| table _time PerfMon PM_30min |head 1|eval range=if(PerfMon / PM_30min > 2 OR PerfMon / PM_30min < 0.5 , "#FF0000" , "#008000")</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
<done>
<condition>
<set token="value">$result.PerfMon$</set>
<set token="color">$result.range$</set>
</condition>
</done>
</search>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</table>
</panel>
<panel>
<html id="test">
<head>
<style>
#test {height:200px;}
p {display:block;
color: $color$;
font-size: 12ex;}
</style>
</head>
<body>
<div id="sample">
<p><br/></br>
$value$</p>
</div>
</body>
</html>
</panel>
</row>
</form>
It is difficult because rangemap related options are gone with single value.
I made it with html instead. But it's NOT cool.
Would someone please make it cool.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
simple-xml-i-want-to-create-cool-single-value-disp
as you like.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
index = _internal component=Metrics earliest=-60m@m latest=-30m@m | stats count as OldMetrics
| appendcols
[search index = _internal component=Metrics earliest=-30m@m latest=now | stats count as LatestMetrics]
| eval deviation=round(OldMetrics/LatestMetrics,2),deviation=1-deviation
| eval alert=case(deviation<-0.5,"Yes",deviation>-.05 AND deviation<0.5,"No",deviation>0.5,"Yes")
That should give you an example of how you can compare two values across two time periods. For your use case you'd want to format the single value to be red if deviation is between -0.5 and 0.5 (hence you can use the alert field) - if you need to use numeric values cause formatting doesn't let you use Yes/No, then use replace those in the search
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
And how can I make this result show me a Single Value in the Preview option?
I need to add the return difference in a Dashboard.
Ex: Below 50% difference turns green, above it turns red.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The issue you might have is that colouring on single values is for ranges. You're looking for deviation percentage, whilst also still retaining the actual result in the single value. You could perhaps have two single values next to each other - one is the literal value, and next to it is the percentage deviation. Then you can colour it on a range.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Guys can anyone give a help in this part?
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...
Upgrade Prep for 10.4, Network Observability Deep Dives, and More from Splunk Lantern
Splunk Developer Day announcements: AI agents, MCP tools, Forecasting, and Custom ...
