I want to display the total event count for the current month and then compare it to the total event for the last month and the up or down arrow to be the difference between this month event and last month along with the number of the count below it. Is it possible that this could be done with Splunk? Like this:
I have this search but I don't know what would come next since everything I try after that failed:
index="monthlycdr" earliest=-2mon@mon latest=@mon
@tamduong16, as you can see Trend Indicator in Single Value is based on timechart command which generates stats for time spans. If you do not specify span
in the timechart command it defaults on its own based on earliest and latest time provided. In this case span is set to daily or 1 day i.e. span="1d"
automatically.
If you want to show monthly trending simplest change you can do is to set span to 1 month i.e. span="1mon"
<YourBaseSearch>
| timechart span="1mon" count
Within Single value there are few things to notice.
1) Single value represent the stats for latest bucket. In this case current month count.
2) Based on Compare to time, show Upward and Downward trend and also show difference in volume as compared to volume at previous time. By default it is auto which means current volume (i.e. last) gets compared to one prior volume (i.e. second last) in the series. In this case current month volume compared to previous month. COmpared to time interval can be configured via Simple XML Configuration (by default it is auto).
<option name="trendInterval">auto</option>
Prior to Splunk Enterprise 6.4 what was Single Value has changed a lot a and become quite prominent visualization option with the introduction of trending, color by trending and most recently trellis. So it would be best if you try to read and understand how it works and what it interprets.
Splunk Docs for Single Value Color By Trend: http://docs.splunk.com/Documentation/Splunk/latest/Viz/SingleValueFormatting#Color_by_trend
Splunk Simple XML Reference for Single Value: https://docs.splunk.com/Documentation/Splunk/latest/Viz/PanelreferenceforSimplifiedXML#single_value
Splunk Dashboard Examples App with Single Value examples: https://splunkbase.splunk.com/app/1603/
@tamduong16, as you can see Trend Indicator in Single Value is based on timechart command which generates stats for time spans. If you do not specify span
in the timechart command it defaults on its own based on earliest and latest time provided. In this case span is set to daily or 1 day i.e. span="1d"
automatically.
If you want to show monthly trending simplest change you can do is to set span to 1 month i.e. span="1mon"
<YourBaseSearch>
| timechart span="1mon" count
Within Single value there are few things to notice.
1) Single value represent the stats for latest bucket. In this case current month count.
2) Based on Compare to time, show Upward and Downward trend and also show difference in volume as compared to volume at previous time. By default it is auto which means current volume (i.e. last) gets compared to one prior volume (i.e. second last) in the series. In this case current month volume compared to previous month. COmpared to time interval can be configured via Simple XML Configuration (by default it is auto).
<option name="trendInterval">auto</option>
Prior to Splunk Enterprise 6.4 what was Single Value has changed a lot a and become quite prominent visualization option with the introduction of trending, color by trending and most recently trellis. So it would be best if you try to read and understand how it works and what it interprets.
Splunk Docs for Single Value Color By Trend: http://docs.splunk.com/Documentation/Splunk/latest/Viz/SingleValueFormatting#Color_by_trend
Splunk Simple XML Reference for Single Value: https://docs.splunk.com/Documentation/Splunk/latest/Viz/PanelreferenceforSimplifiedXML#single_value
Splunk Dashboard Examples App with Single Value examples: https://splunkbase.splunk.com/app/1603/
@niketnilay, I found my answer base on your comment. Could you please post your comment to the answer section so I could accept it. Thank you so much
@tamduong16, I have converted to answer please accept.
HI
Single view with a trend is generated with timechart
.
So can you please try below search?
index="monthlycdr" earliest=-2mon@mon latest=@mon | timechart count
You can easily create it with search visualization.
Thanks
Hi Kamlesh, Thanks for the reply. I tried it but it actually gives me a weird number, which I don't understand much. I really just want splunk to count the number of events for the current month and display it as the big number there. I got this part already but I can not figure out how to compare it to last month total events and have the arrow to tell me if it increases or decreases compared to last month. Any ideas?