Join the Conversation
- Find Answers
- :
- Splunk Products
- :
- Splunk Enterprise
- :
- help on trend indicator
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi
I use the code below in order to display a single panel value count on the last 7 days
index=mesures sourcetype=sign
| fields sig_id
| stats dc(sig_id)Now, I need to change it by a trend indicator in order to have the single panel count but also in order to have the trend for the week before the last 7 days
So you can see the code in my xml file, but I have "0" displayed in my count and obviously "0" for my trend
<panel>
<single>
<search>
<query>`index=mesures sourcetype=sign
| fields sig_id
| timechart dc(sig_id)</query>
<earliest>-7d@d</earliest>
<latest>now</latest>
</search>
<option name="colorBy">trend</option>
<option name="colorMode">none</option>
<option name="drilldown">none</option>
<option name="height">200</option>
<option name="numberPrecision">0</option>
<option name="rangeColors">["0x53a051","0xf8be34","0xf1813f","0xdc4e41"]</option>
<option name="rangeValues">[0,5,10]</option>
<option name="refresh.display">progressbar</option>
<option name="showSparkline">1</option>
<option name="showTrendIndicator">1</option>
<option name="trendColorInterpretation">standard</option>
<option name="trendInterval">-7d</option>
<option name="underLabel">Compared to last week</option>
<option name="useColors">1</option>
</single>
</panel>So what is wrong please?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@jip31 Try using below search string:
index=mesures sourcetype=sign
| timechart span=7d dc(sig_id)you can change the timespan as per your need.
Also, If this reply helps you, an upvote would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@jip31 Try using below search string:
index=mesures sourcetype=sign
| timechart span=7d dc(sig_id)you can change the timespan as per your need.
Also, If this reply helps you, an upvote would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi
thanks
I understand better why I thought my count was wrong
its a misunderstanding
as my time range is on the "last 7 days", I thought that my count will be on the "last 7 days" I can see that the count correspond to the count of the current day and the trend indicator is just the difference between the current day count and the count on the last 7 days
so I wonder if its possible to have a count on the last 7 days and a trend indicator which is the difference between this count and the count corresponding to the whole time range (30 days for example)?
because there is a logical that I dont understand. What is the interest to display a trend that compare the count done on the current day with a count done on the last7 days?
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Announcing Modern Navigation: A New Era of Splunk User Experience
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
