Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Create a gauge where the maximum references count in one database and needle references count in 2nd database?

lbogle
Contributor
‎07-29-2014 09:31 AM

Hello Splunkers,
I'm processing results of an asset database search. I have one database that is the 'reference' database "database 1" that has lets say 500 assets in it. I have a second database that has lets say 350 assets in it that we are trying to get to match up so that it at some point also will equal 500 assets in it. I thought a marker gauge would be a good tool to communicate progress to mgmt in doing this. My search is built already where I have a basic 2 line chart with a header "source" above database 1 and database 2 columns and a header "count" above the count columns found in each database.

I would like to make a gauge where the maximum of the gauge will always reference the count in the reference database 1 and the moving needle will always reference the count in database 2.
Is that possible and if so, how do I do it?
Thanks!

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎07-29-2014 10:25 AM

Does this look like your current data table?

| stats count | eval db = "db2 db1" | makemv db | mvexpand db | streamstats count

count   db
    1  db2
    2  db1

If so, append this:

... | eval base = 0 | xyseries base db count | gauge db2 base db1

Visualize that as a marker gauge and you're there. Make sure you use your database names instead of db2 and db1.

View solution in original post

Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎07-29-2014 10:25 AM

Does this look like your current data table?

| stats count | eval db = "db2 db1" | makemv db | mvexpand db | streamstats count

count   db
    1  db2
    2  db1

If so, append this:

... | eval base = 0 | xyseries base db count | gauge db2 base db1

Visualize that as a marker gauge and you're there. Make sure you use your database names instead of db2 and db1.

Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎07-29-2014 12:44 PM

As a first stab in the dark, try to avoid parentheses in field names. Rename those right after the stats. Alternatively, enclose them in single quotation marks.

0 Karma
Reply
Solved! Jump to solution

lbogle
Contributor
‎07-29-2014 12:17 PM

So currently have have this:
Mysearch | search HostName="*" | stats count by source,host | eval base = 0 | xyseries base HostName count | gauge Software_Installs_(Apple) base Asset_DB_(Apple)
What am I missing?
Thanks for your help!

0 Karma
Reply
Solved! Jump to solution

lbogle
Contributor
‎07-29-2014 12:04 PM

So the original DB is actually two DB's (.csv's) that I am pulling hostname values from. Values are the same in each DB as far as formatting but some that are present in DB1 are missing from DB2. Does your suggestion work with that information? I'm not sure how to format your suggestion with that in mind.

0 Karma
Reply
Solved! Jump to solution

lbogle
Contributor
‎07-29-2014 10:07 AM

Or maybe even just a simple pie chart where the maximum of the pie is database 1 and the slice is database 2...

0 Karma
Reply
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...