Solved: Re: how to show current ERROR trend as a single va...

rajgowd1 · ‎11-30-2016

HI,
i am trying to display ERROR count as a single value and using below search

index=myindex ERROR co_name=$co_name$ env_name=$env_name$ | timechart span=1m count | eval _time=_time-now()%3600 | sort +_time

niketn · ‎11-30-2016

If you need trend to be based on last an hour before the current one you need to add the following earliest and latest time to your base search (i.e. last 2 hours)

  <earliest>-2h@h</earliest>
  <latest>now</latest>

Your search query will change as following:

index=myindex ERROR co_name=$co_name$ env_name=$env_name$ | timechart span=1h count

And then edit Compared to to 1 hour before so that current hour stats are compared with previous hour for trending.

<option name="trendInterval">-1h</option>

This way you will current hour count as Single value and last hour count as trend indicator.

PS: Timeline will be restricted to only last two hour as per your need, but you can set -2h@h to even earlier value like -4h@h (last 4 hours) or even -0d@d (beginning of the day) to show hourly sparlike in the trend indicator. However, trend interval will remain 1 hour and current hour will always be compared with previous hour as set in above code block.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

niketn · ‎11-30-2016

If you need trend to be based on last an hour before the current one you need to add the following earliest and latest time to your base search (i.e. last 2 hours)

  <earliest>-2h@h</earliest>
  <latest>now</latest>

Your search query will change as following:

index=myindex ERROR co_name=$co_name$ env_name=$env_name$ | timechart span=1h count

And then edit Compared to to 1 hour before so that current hour stats are compared with previous hour for trending.

<option name="trendInterval">-1h</option>

This way you will current hour count as Single value and last hour count as trend indicator.

PS: Timeline will be restricted to only last two hour as per your need, but you can set -2h@h to even earlier value like -4h@h (last 4 hours) or even -0d@d (beginning of the day) to show hourly sparlike in the trend indicator. However, trend interval will remain 1 hour and current hour will always be compared with previous hour as set in above code block.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

rajgowd1 · ‎12-01-2016

Thank you,i updated the search string based on your suggestion and its working perfectly

mrgibbon · ‎11-30-2016

Why not just add on a '| stats count' or a '|stats count | table count' on the end, that would give you a count of the events you have found.

rajgowd1 · ‎11-30-2016

HI,
i would like to display and want to change this so it shows the continuous last 60 minutes. So if the search is run at 17:00 the single value would show 15:00 to 16:00 and the trend arrow and value with compare is 14:00 to 15:00

mrgibbon · ‎11-30-2016

Take a look here, it mentions a timechart command may produce the result you want:
link text

So you may already have the code you need. Have you tried looking at the options for the trend in the xml?

how to show current ERROR trend as a single value

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!