Getting Data In

How can I use sparkline for single value visualization?

tamduong16
Contributor

I want to display the total event count for the current month and then compare it to the total event for the last month and the up or down arrow to be the difference between this month event and last month along with the number of the count below it. Is it possible that this could be done with Splunk? Like this:

alt text

I have this search but I don't know what would come next since everything I try after that failed:

index="monthlycdr" earliest=-2mon@mon latest=@mon

0 Karma
1 Solution

niketn
Legend

@tamduong16, as you can see Trend Indicator in Single Value is based on timechart command which generates stats for time spans. If you do not specify span in the timechart command it defaults on its own based on earliest and latest time provided. In this case span is set to daily or 1 day i.e. span="1d" automatically.

If you want to show monthly trending simplest change you can do is to set span to 1 month i.e. span="1mon"

<YourBaseSearch>
| timechart span="1mon" count

Within Single value there are few things to notice.
1) Single value represent the stats for latest bucket. In this case current month count.
2) Based on Compare to time, show Upward and Downward trend and also show difference in volume as compared to volume at previous time. By default it is auto which means current volume (i.e. last) gets compared to one prior volume (i.e. second last) in the series. In this case current month volume compared to previous month. COmpared to time interval can be configured via Simple XML Configuration (by default it is auto).

<option name="trendInterval">auto</option>

Prior to Splunk Enterprise 6.4 what was Single Value has changed a lot a and become quite prominent visualization option with the introduction of trending, color by trending and most recently trellis. So it would be best if you try to read and understand how it works and what it interprets.

Splunk Docs for Single Value Color By Trend: http://docs.splunk.com/Documentation/Splunk/latest/Viz/SingleValueFormatting#Color_by_trend
Splunk Simple XML Reference for Single Value: https://docs.splunk.com/Documentation/Splunk/latest/Viz/PanelreferenceforSimplifiedXML#single_value
Splunk Dashboard Examples App with Single Value examples: https://splunkbase.splunk.com/app/1603/

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

niketn
Legend

@tamduong16, as you can see Trend Indicator in Single Value is based on timechart command which generates stats for time spans. If you do not specify span in the timechart command it defaults on its own based on earliest and latest time provided. In this case span is set to daily or 1 day i.e. span="1d" automatically.

If you want to show monthly trending simplest change you can do is to set span to 1 month i.e. span="1mon"

<YourBaseSearch>
| timechart span="1mon" count

Within Single value there are few things to notice.
1) Single value represent the stats for latest bucket. In this case current month count.
2) Based on Compare to time, show Upward and Downward trend and also show difference in volume as compared to volume at previous time. By default it is auto which means current volume (i.e. last) gets compared to one prior volume (i.e. second last) in the series. In this case current month volume compared to previous month. COmpared to time interval can be configured via Simple XML Configuration (by default it is auto).

<option name="trendInterval">auto</option>

Prior to Splunk Enterprise 6.4 what was Single Value has changed a lot a and become quite prominent visualization option with the introduction of trending, color by trending and most recently trellis. So it would be best if you try to read and understand how it works and what it interprets.

Splunk Docs for Single Value Color By Trend: http://docs.splunk.com/Documentation/Splunk/latest/Viz/SingleValueFormatting#Color_by_trend
Splunk Simple XML Reference for Single Value: https://docs.splunk.com/Documentation/Splunk/latest/Viz/PanelreferenceforSimplifiedXML#single_value
Splunk Dashboard Examples App with Single Value examples: https://splunkbase.splunk.com/app/1603/

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

tamduong16
Contributor

@niketnilay, I found my answer base on your comment. Could you please post your comment to the answer section so I could accept it. Thank you so much

0 Karma

niketn
Legend

@tamduong16, I have converted to answer please accept.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

HI
Single view with a trend is generated with timechart.

So can you please try below search?

index="monthlycdr" earliest=-2mon@mon latest=@mon | timechart count

You can easily create it with search visualization.

Thanks

0 Karma

tamduong16
Contributor

Hi Kamlesh, Thanks for the reply. I tried it but it actually gives me a weird number, which I don't understand much. I really just want splunk to count the number of events for the current month and display it as the big number there. I got this part already but I can not figure out how to compare it to last month total events and have the arrow to tell me if it increases or decreases compared to last month. Any ideas?

0 Karma
Get Updates on the Splunk Community!

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

We love our Splunk Community and want you to feel inspired by all your hard work! Eric Fusilero, our VP of ...