Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to make Graphic display of a delta between two values

Rajaion
Path Finder
‎07-21-2022 06:00 AM

Hello community,

I apologize in advance, I don't speak English so my writing won't be perfect.

I have a problem with a comparison. I want to compare a number of acknowledgments on a number of alerts over a period of X minutes (example: the number of acknowledgments between 0 and 5 min VS the number of resolved alerts between 0 and 5 min). I use Splunk OnCall and I think I found the right search for it but I don't know why, I can't make a clean graph for it. I would like a bar with padding to indicate the delta between my acknowledged alerts and the total alerts. Here is what my search yields:

Rajaion_0-1658408397730.png


Do you know how to force display it to show the delta in question?

Best regards,

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎07-22-2022 01:02 AM

If you have just two fields, Splunk is going to graph one value against the other.

You need a third field which will work as series differentiator.

If you do just

| makeresults
| eval a=10,b=20
| table a b

And try to graph that. You'll get yourself a nice little rectangle like you did with your search.

But if you leave the _time field

| makeresults
| eval a=10,b=20
| table _time a b

 Or even create some phony field on your own

| makeresults
| eval a=10,b=20,series=""
| table series a b

You can now go to visualization, chose column chart with proper stacking and will get something like this:

PickleRick_0-1658476874451.png

Notice however, that the values are stacked so if one is 10 and the other is 20 they add up to the "big bar" which has a height of 30. You'd have to do some substraction to make it add up to the bigger value but I'm sure you'll manage that 😉

View solution in original post

Reply
Solved! Jump to solution

Rajaion
Path Finder
‎07-22-2022 12:37 AM

Hi @somesoni2, thank you very much for your help and research. Here is the result :

Rajaion_0-1658475431066.png


The info is interesting because it displays the delta directly with the generation date, I think to use it for a report instead.
However, in my case, I need both infos (ACKED VS RESOLVED) for my dashboard and it's the display that gives me problem because I can't make a cumulative display (something like this):

Rajaion_1-1658475446092.png


Do you know what is wrong with my search to display this kind of graph?

Best regards,

Rajaion

0 Karma
Reply
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎07-22-2022 01:02 AM

If you have just two fields, Splunk is going to graph one value against the other.

You need a third field which will work as series differentiator.

If you do just

| makeresults
| eval a=10,b=20
| table a b

And try to graph that. You'll get yourself a nice little rectangle like you did with your search.

But if you leave the _time field

| makeresults
| eval a=10,b=20
| table _time a b

 Or even create some phony field on your own

| makeresults
| eval a=10,b=20,series=""
| table series a b

You can now go to visualization, chose column chart with proper stacking and will get something like this:

PickleRick_0-1658476874451.png

Notice however, that the values are stacked so if one is 10 and the other is 20 they add up to the "big bar" which has a height of 30. You'd have to do some substraction to make it add up to the bigger value but I'm sure you'll manage that 😉

Reply
Solved! Jump to solution

Rajaion
Path Finder
‎07-22-2022 07:09 AM

Hi @PickleRick,

Thank you for your solution, it's exactly what I needed, and with the little subtraction that goes well, I have exactly the result I want.

Thanks also to @ITWhisperer who agrees with the same idea of ​​better managing fields.

I learned a lot about this problem, thanks again.

Best regards,

Rajaion

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-22-2022 12:50 AM

Short answer - Remove the last 3 lines

Longer answer - the two bars in your graphic would be represented as two series in the chart; each series is effectively a different field or column in the statistics table; the chart command you already have in your search gives you these fields / columns, you just need to visualise them and format to use stacked columns.

Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎07-21-2022 01:34 PM

I would do something like this

index=oncall_prod currentPhase IN (ACKED, RESOLVED)
| rename transitions{}.at AS ack
| convert mktime(startTime) as start_time mktime(ack) as ack_time timeformat="%Y-%m-%dT%H:%M:%S%Z"
| eval change=ack_time-start_time
| search change>=0 AND change<=20000
| eval test=1
| chart max(test) over incidentNumber by currentPhase
| stats sum(ACKED) as ACKED sum(RESOLVED) as RESOLVED
| eval ReportDate=strftime(now(),"%F %T") | eval Diff=ACKED-RESOLVED 
| table ReportDate Diff

 

If you just want to show

Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...