Splunk Search

How to make Graphic display of a delta between two values

Rajaion
Path Finder

Hello community,

I apologize in advance, I don't speak English so my writing won't be perfect.

I have a problem with a comparison. I want to compare a number of acknowledgments on a number of alerts over a period of X minutes (example: the number of acknowledgments between 0 and 5 min VS the number of resolved alerts between 0 and 5 min). I use Splunk OnCall and I think I found the right search for it but I don't know why, I can't make a clean graph for it. I would like a bar with padding to indicate the delta between my acknowledged alerts and the total alerts. Here is what my search yields:

Rajaion_0-1658408397730.png


Do you know how to force display it to show the delta in question?

Best regards,

Labels (1)
0 Karma
1 Solution

PickleRick
SplunkTrust
SplunkTrust

If you have just two fields, Splunk is going to graph one value against the other.

You need a third field which will work as series differentiator.

If you do just

| makeresults
| eval a=10,b=20
| table a b

And try to graph that. You'll get yourself a nice little rectangle like you did with your search.

But if you leave the _time field

| makeresults
| eval a=10,b=20
| table _time a b

 Or even create some phony field on your own

| makeresults
| eval a=10,b=20,series=""
| table series a b

You can now go to visualization, chose column chart with proper stacking and will get something like this:

PickleRick_0-1658476874451.png

Notice however, that the values are stacked so if one is 10 and the other is 20 they add up to the "big bar" which has a height of 30. You'd have to do some substraction to make it add up to the bigger value but I'm sure you'll manage that 😉

View solution in original post

Rajaion
Path Finder

Hi @somesoni2, thank you very much for your help and research. Here is the result :

Rajaion_0-1658475431066.png


The info is interesting because it displays the delta directly with the generation date, I think to use it for a report instead.
However, in my case, I need both infos (ACKED VS RESOLVED) for my dashboard and it's the display that gives me problem because I can't make a cumulative display (something like this):

Rajaion_1-1658475446092.png


Do you know what is wrong with my search to display this kind of graph?

Best regards,

Rajaion

0 Karma

PickleRick
SplunkTrust
SplunkTrust

If you have just two fields, Splunk is going to graph one value against the other.

You need a third field which will work as series differentiator.

If you do just

| makeresults
| eval a=10,b=20
| table a b

And try to graph that. You'll get yourself a nice little rectangle like you did with your search.

But if you leave the _time field

| makeresults
| eval a=10,b=20
| table _time a b

 Or even create some phony field on your own

| makeresults
| eval a=10,b=20,series=""
| table series a b

You can now go to visualization, chose column chart with proper stacking and will get something like this:

PickleRick_0-1658476874451.png

Notice however, that the values are stacked so if one is 10 and the other is 20 they add up to the "big bar" which has a height of 30. You'd have to do some substraction to make it add up to the bigger value but I'm sure you'll manage that 😉

Rajaion
Path Finder

Hi @PickleRick,

Thank you for your solution, it's exactly what I needed, and with the little subtraction that goes well, I have exactly the result I want.

Thanks also to @ITWhisperer who agrees with the same idea of ​​better managing fields.

I learned a lot about this problem, thanks again.

Best regards,

Rajaion

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Short answer - Remove the last 3 lines

Longer answer - the two bars in your graphic would be represented as two series in the chart; each series is effectively a different field or column in the statistics table; the chart command you already have in your search gives you these fields / columns, you just need to visualise them and format to use stacked columns.

somesoni2
SplunkTrust
SplunkTrust

I would do something like this

index=oncall_prod currentPhase IN (ACKED, RESOLVED)
| rename transitions{}.at AS ack
| convert mktime(startTime) as start_time mktime(ack) as ack_time timeformat="%Y-%m-%dT%H:%M:%S%Z"
| eval change=ack_time-start_time
| search change>=0 AND change<=20000
| eval test=1
| chart max(test) over incidentNumber by currentPhase
| stats sum(ACKED) as ACKED sum(RESOLVED) as RESOLVED
| eval ReportDate=strftime(now(),"%F %T") | eval Diff=ACKED-RESOLVED 
| table ReportDate Diff

 

If you just want to show

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...