Dashboards & Visualizations

Splunk query compare two results

Path Finder


I have the query below in simple Single Value format:

index = event_viewer "collection = PerfMon" | timechart span = 10m count as PerfMon

I need to compare the current value with the last 30 minutes and if it has a difference of more than 50% turn red, this is for values ​​above or below.

Ex: 15:00 -> 1300
3:30 pm -> 1800
4:00 pm -> 3600

My Single Value chart must be red at exactly 16:00.

If it is not clear, please let me know.

0 Karma

Ultra Champion
  <fieldset submitButton="true" autoRun="true">
    <input type="time" token="field1">
          <query>| makeresults count=2
| streamstats count
| eval _time = if (count==2,relative_time(_time,"-2h@m"), relative_time(_time,"@m")) 
| makecontinuous span=1m _time
| eval count=random() % 200
| timechart span=10m sum(count) as PerfMon
| rename COMMENT as "From here, the logic is"
| streamstats list(PerfMon) as PM window=4
| eval PM_30min=if(mvcount(PM)==4,mvindex(PM,0),NULL)
| reverse
| table _time PerfMon PM_30min |head 1|eval range=if(PerfMon / PM_30min > 2 OR PerfMon / PM_30min < 0.5 , "#FF0000" , "#008000")</query>
              <set token="value">$result.PerfMon$</set>
              <set token="color">$result.range$</set>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      <html id="test">
            #test {height:200px;}

p {display:block;
   color: $color$;
   font-size: 12ex;}
  <div id="sample">

It is difficult because rangemap related options are gone with single value.
I made it with html instead. But it's NOT cool.

Would someone please make it cool.

0 Karma

Ultra Champion
0 Karma


index = _internal component=Metrics earliest=-60m@m latest=-30m@m | stats count as OldMetrics
| appendcols
[search index = _internal component=Metrics earliest=-30m@m latest=now | stats count as LatestMetrics]
| eval deviation=round(OldMetrics/LatestMetrics,2),deviation=1-deviation
| eval alert=case(deviation<-0.5,"Yes",deviation>-.05 AND deviation<0.5,"No",deviation>0.5,"Yes")

That should give you an example of how you can compare two values across two time periods. For your use case you'd want to format the single value to be red if deviation is between -0.5 and 0.5 (hence you can use the alert field) - if you need to use numeric values cause formatting doesn't let you use Yes/No, then use replace those in the search

0 Karma

Path Finder

And how can I make this result show me a Single Value in the Preview option?

I need to add the return difference in a Dashboard.

Ex: Below 50% difference turns green, above it turns red.

0 Karma


The issue you might have is that colouring on single values is for ranges. You're looking for deviation percentage, whilst also still retaining the actual result in the single value. You could perhaps have two single values next to each other - one is the literal value, and next to it is the percentage deviation. Then you can colour it on a range.

0 Karma

Path Finder

Guys can anyone give a help in this part?

0 Karma
Get Updates on the Splunk Community!

Build Scalable Security While Moving to Cloud - Guide From Clayton Homes

 Clayton Homes faced the increased challenge of strengthening their security posture as they went through ...

Mission Control | Explore the latest release of Splunk Mission Control (2.3)

We’re happy to announce the release of Mission Control 2.3 which includes several new and exciting features ...

Cloud Platform | Migrating your Splunk Cloud deployment to Python 3.7

Python 2.7, the last release of Python 2, reached End of Life back on January 1, 2020. As part of our larger ...