Splunk Search
Highlighted

Create a gauge where the maximum references count in one database and needle references count in 2nd database?

Contributor

Hello Splunkers,
I'm processing results of an asset database search. I have one database that is the 'reference' database "database 1" that has lets say 500 assets in it. I have a second database that has lets say 350 assets in it that we are trying to get to match up so that it at some point also will equal 500 assets in it. I thought a marker gauge would be a good tool to communicate progress to mgmt in doing this. My search is built already where I have a basic 2 line chart with a header "source" above database 1 and database 2 columns and a header "count" above the count columns found in each database.

I would like to make a gauge where the maximum of the gauge will always reference the count in the reference database 1 and the moving needle will always reference the count in database 2.
Is that possible and if so, how do I do it?
Thanks!

Tags (2)
0 Karma
Highlighted

Re: Create a gauge where the maximum references count in one database and needle references count in 2nd database?

Contributor

Or maybe even just a simple pie chart where the maximum of the pie is database 1 and the slice is database 2...

0 Karma
Highlighted

Re: Create a gauge where the maximum references count in one database and needle references count in 2nd database?

SplunkTrust
SplunkTrust

Does this look like your current data table?

| stats count | eval db = "db2 db1" | makemv db | mvexpand db | streamstats count

count   db
    1  db2
    2  db1 

If so, append this:

... | eval base = 0 | xyseries base db count | gauge db2 base db1

Visualize that as a marker gauge and you're there. Make sure you use your database names instead of db2 and db1.

View solution in original post

Highlighted

Re: Create a gauge where the maximum references count in one database and needle references count in 2nd database?

Contributor

So the original DB is actually two DB's (.csv's) that I am pulling hostname values from. Values are the same in each DB as far as formatting but some that are present in DB1 are missing from DB2. Does your suggestion work with that information? I'm not sure how to format your suggestion with that in mind.

0 Karma
Highlighted

Re: Create a gauge where the maximum references count in one database and needle references count in 2nd database?

Contributor

So currently have have this:
Mysearch | search HostName="*" | stats count by source,host | eval base = 0 | xyseries base HostName count | gauge SoftwareInstalls(Apple) base AssetDB(Apple)
What am I missing?
Thanks for your help!

0 Karma
Highlighted

Re: Create a gauge where the maximum references count in one database and needle references count in 2nd database?

SplunkTrust
SplunkTrust

As a first stab in the dark, try to avoid parentheses in field names. Rename those right after the stats. Alternatively, enclose them in single quotation marks.

0 Karma