Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to edit my search to display the trend line on a single value visualization?

mmwilson
Explorer
‎08-21-2017 03:48 PM

Hi Fellow Splunkers,

I have a search that is using lookup tables to show how many of our hosts are reporting. When I run the query, it populates the number for me, but it doesn't draw the trend line and i haven't been able to find a way to enable it, unfortunately. Best advice I can find is to run a timechart, but having a hard time converting this over.

| `asset_eventcount` 
| search (`get_category(pci)`) () tag= expected 
| sort 0 - lastTime 
| `uitime(firstTime)` 
| `uitime(lastTime)` 
| eval last_logged = round((now() - lastTime)/86400) 
| replace -1 with 0 in last_logged 
| eval last_logged = if(last_logged<30, "Logging", last_logged) 
| eval last_logged = if(last_logged>30, "Stopped Logging", last_logged) 
| eval last_logged = if(isnull(last_logged) OR last_logged="", "Never Logged", last_logged) 
| stats count by last_logged | where last_logged="Logging" | fields count

Thanks!

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎08-22-2017 12:49 AM

Hi mmwilson,
why don't you use _time?
you could replace your last row with

| where last_logged="Logging" 
| timechart bins=2 count

Bye.
Giuseppe

0 Karma
Reply

mmwilson
Explorer
‎08-21-2017 10:09 PM

We have a master list of thousands of hosts, and one of our dashboards has a single value visualization for active hosts, inactive hosts, and never before seen hosts. We'd like to visualize it with a trend to see if new hosts have been added, or to see if any have stopped logging at a quick glance.

0 Karma
Reply

DalJeanis
Legend
‎08-21-2017 08:25 PM

In order to do a timechart, you need to have a _time.

You also need to be charting a consistent metric, not words.

Regardless of that, I'm not sure what a trend line on this data would really tell you.

To a degree, this data is the reverse of a trend... or the shadow of the inverse of a trend not happening...

Related trends that might be mapped

How many servers were reporting on each day.
How many servers were NOT reporting on each day.
How many cumulative server-non-reporting days have accrued as/of each date

What exactly do you want the trendline to tell you?

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...