Splunk Search

Create a gauge where the maximum references count in one database and needle references count in 2nd database?

lbogle
Contributor

Hello Splunkers,
I'm processing results of an asset database search. I have one database that is the 'reference' database "database 1" that has lets say 500 assets in it. I have a second database that has lets say 350 assets in it that we are trying to get to match up so that it at some point also will equal 500 assets in it. I thought a marker gauge would be a good tool to communicate progress to mgmt in doing this. My search is built already where I have a basic 2 line chart with a header "source" above database 1 and database 2 columns and a header "count" above the count columns found in each database.

I would like to make a gauge where the maximum of the gauge will always reference the count in the reference database 1 and the moving needle will always reference the count in database 2.
Is that possible and if so, how do I do it?
Thanks!

Tags (2)
0 Karma
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

Does this look like your current data table?

| stats count | eval db = "db2 db1" | makemv db | mvexpand db | streamstats count

count   db
    1  db2
    2  db1 

If so, append this:

... | eval base = 0 | xyseries base db count | gauge db2 base db1

Visualize that as a marker gauge and you're there. Make sure you use your database names instead of db2 and db1.

View solution in original post

martin_mueller
SplunkTrust
SplunkTrust

Does this look like your current data table?

| stats count | eval db = "db2 db1" | makemv db | mvexpand db | streamstats count

count   db
    1  db2
    2  db1 

If so, append this:

... | eval base = 0 | xyseries base db count | gauge db2 base db1

Visualize that as a marker gauge and you're there. Make sure you use your database names instead of db2 and db1.

martin_mueller
SplunkTrust
SplunkTrust

As a first stab in the dark, try to avoid parentheses in field names. Rename those right after the stats. Alternatively, enclose them in single quotation marks.

0 Karma

lbogle
Contributor

So currently have have this:
Mysearch | search HostName="*" | stats count by source,host | eval base = 0 | xyseries base HostName count | gauge Software_Installs_(Apple) base Asset_DB_(Apple)
What am I missing?
Thanks for your help!

0 Karma

lbogle
Contributor

So the original DB is actually two DB's (.csv's) that I am pulling hostname values from. Values are the same in each DB as far as formatting but some that are present in DB1 are missing from DB2. Does your suggestion work with that information? I'm not sure how to format your suggestion with that in mind.

0 Karma

lbogle
Contributor

Or maybe even just a simple pie chart where the maximum of the pie is database 1 and the slice is database 2...

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...