Dashboards & Visualizations
Highlighted

compare option in single value in splunk 6.3

Communicator

Hi,

I upgraded my splunk to 6.3.
I am working with single value option of splunk.
In single value we have "compare to" option to create trend using timechart.
I just want to know how custom option of compare to works.
I tried searching some document which can explain me this but not able to find.
It will be helpful if anyone can help me with this.

Thanks

Tags (2)
0 Karma
Highlighted

Re: compare option in single value in splunk 6.3

Communicator

I had the same problem. Best documentation i could find was Simple XML Reference (search for trendInterval). I figured it out using the following query:

| gentimes start=12/09/2015 end=12/10/2015 increment=1h
| streamstats count as n
| eval n=n*n
| eval _time=starttime
| fields _time n
| timechart span=1h sum(n) as count

This query simply generates testdata.

Set the time range for the search to (12/09/2015 00:00:00 to 12/09/2015 24:00:00).
Now try changing Compared to to Custom 3 Hours. The trend compares the last value in the result (576) to the value 3 hours before the last value (441) resulting in a value of 576-441=135 or (576-441)/441=30.6%.

View solution in original post

Highlighted

Re: compare option in single value in splunk 6.3

Communicator

thanks krdo.:)

0 Karma