Activity Feed
- Karma Re: How to color a cell on dashboard based on condition when column names are dynamic? for ITWhisperer. 08-16-2024 11:21 AM
- Posted Re: Calculating values from dynamically named columns on Reporting. 08-15-2024 07:23 AM
- Karma Re: Calculating values from dynamically named columns for ITWhisperer. 08-15-2024 07:22 AM
- Posted Re: Calculating values from dynamically named columns on Reporting. 08-15-2024 06:13 AM
- Posted Re: Calculating values from dynamically named columns on Reporting. 08-15-2024 06:10 AM
- Posted Re: Calculating values from dynamically named columns on Reporting. 08-15-2024 06:08 AM
- Posted Re: Calculating values from dynamically named columns on Reporting. 08-14-2024 01:07 PM
- Posted Re: Calculating values from dynamically named columns on Reporting. 08-14-2024 01:00 PM
- Karma Re: Calculating values from dynamically named columns for ITWhisperer. 08-14-2024 12:55 PM
- Posted Calculating values from dynamically named columns on Reporting. 08-14-2024 07:09 AM
- Karma Re: Radial Gauge valu/max from stats query for richgalloway. 01-29-2024 07:23 AM
- Posted Radial Gauge valu/max from stats query on Splunk Search. 01-25-2024 08:58 AM
- Posted Re: Splunk - how to modify Token based on the choice values from another Token? on Dashboards & Visualizations. 08-23-2023 10:15 AM
- Posted Re: How to go about dropdown default value based on another dropdown? on Dashboards & Visualizations. 08-23-2023 10:13 AM
- Posted Re: How to set a token based on drop down values on Dashboards & Visualizations. 08-23-2023 10:07 AM
- Posted Re: Dashboard Studio App does not show in Select an App when linking to another dashboard on Dashboards & Visualizations. 05-11-2023 07:50 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 |
08-15-2024
07:23 AM
I had to remove these 2 lines from the very top because they emptied the _time column: | eval _time=strptime(date,"%m/%d/%Y")
| fields - date But after that it works like a charm. Thanks so much
... View more
08-15-2024
06:13 AM
OTHER arc dev test prod 7/16/2024 5.76 0.017 2.333 2.235 19.114 7/17/2024 5.999 0.018 2.595 2.26 18.355 7/18/2024 6.019 0.018 2.559 1.962 16.879 7/19/2024 5.65 0.018 2.177 1.566 14.573 7/20/2024 4.849 0.013 2.389 1.609 12.348 7/21/2024 4.619 0.013 2.19 1.618 12.296 7/22/2024 5.716 0.019 2.425 1.626 14.286
... View more
08-15-2024
06:10 AM
That didn't format well. I'll post the data in a separate reply from my comments. I was able to play around with what you sent and this gives me rows with the size and the change in size, which is the data I want, but I can't seem to get it back to the table format I need. if I add "| stats values(*) as * by index" then I end up with a format that is multivalue and I haven't been able to get that untangled either. I am OK at this stuff, but am definitely not a pro level user. | loadjob "" | eval date=(strftime(_time,"%Y-%m-%d")) | fields - _time | transpose header_field=date | rename column AS index | sort index | untable index date size | sort 0 index date | streamstats last(size) as previous window=1 global=f current=f by index | eval relative_size = 100 * size / previous | fields - previous | appendpipe [| eval date=strftime(date, "%F")." change" | xyseries index date relative_size] | appendpipe [| eval date=strftime(date, "%F") | xyseries index date size]
... View more
08-15-2024
06:08 AM
Thanks for your help, I really appreciate it. Here's the output from the report job: OTHER arc dev test prod 2024-07-16 5.760 0.017 2.333 2.235 19.114 2024-07-17 5.999 0.018 2.595 2.260 18.355 2024-07-18 6.019 0.018 2.559 1.962 16.879 2024-07-19 5.650 0.018 2.177 1.566 14.573 2024-07-20 4.849 0.013 2.389 1.609 12.348 2024-07-21 4.619 0.013 2.190 1.618 12.296 2024-07-22 5.716 0.019 2.425 1.626 14.286 I was able to play around with what you sent and this gives me rows with the size and the change in size, which is the data I want, but I can't seem to get it back to the table format I need. if I add "| stats values(*) as * by index" then I end up with a format that is multivalue and I haven't been able to get that untangled either. I am OK at this stuff, but am definitely not a pro level user. | loadjob "" | eval date=(strftime(_time,"%Y-%m-%d")) | fields - _time | transpose header_field=date | rename column AS index | sort index | untable index date size | sort 0 index date | streamstats last(size) as previous window=1 global=f current=f by index | eval relative_size = 100 * size / previous | fields - previous | appendpipe [| eval date=strftime(date, "%F")." change" | xyseries index date relative_size] | appendpipe [| eval date=strftime(date, "%F") | xyseries index date size]
... View more
08-14-2024
01:07 PM
For completeness, here's how I spliced them together, although I tried just adding your commands after my search, entirely, and after my search but without the addcoltotals and neither worked.
| loadjob savedsearch="30 Days Ingest By Index"
| eval day_of_week=strftime(_time,"%a"), date=(strftime(_time,"%Y-%m-%d"))
| search day_of_week=Tue
| fields - _time day_of_week
| transpose header_field=date
| rename column AS index
| untable index date size
| eval date=strptime(date."-2024","%d-%b-%Y")
| fieldformat date=strftime(date,"%F")
| sort 0 index date
| streamstats last(size) as previous window=1 global=f current=f by index
| eval relative_size = 100 * size / previous
| fields - previous
| appendpipe
[| eval date=strftime(date, "%F")." change"
| xyseries index date relative_size]
| appendpipe
[| eval date=strftime(date, "%F")
| xyseries index date size]
| fields - date size relative_size
| stats values(*) as * by index
... View more
08-14-2024
01:00 PM
When I add your processing to the end of mine I get a table that only has one column -- index. None of the data is there.
... View more
08-14-2024
07:09 AM
I have a search that returns values for dates and I want to calculate the changes between the dates. What I want would look something like this.
index
1-Aug
8-Aug
Aug 8 change
15-Aug
Aug 15 Change
22-Aug
Aug 22 change
29-Aug
Aug 29 change
index1
5.76
5.528
96%
5.645
102%
7.666
136%
6.783
88%
index2
0.017
0.023
135%
0.036
157%
0.033
92%
14.985
45409%
index3
2.333
2.257
97%
2.301
102%
2.571
112%
0.971
38%
index4
2.235
1.649
74%
2.01
122%
2.339
116%
2.336
100%
index5
19.114
14.179
74%
14.174
100%
18.46
130%
19.948
108%
I have a search that returns the values without the change calculations
| loadjob savedsearch="me@email.com:splunk_instance_monitoring:30 Days Ingest By Index"
| eval day_of_week=strftime(_time,"%a"), date=(strftime(_time,"%Y-%m-%d"))
| search day_of_week=Tue
| fields - _time day_of_week
| transpose header_field=date
| rename column AS index
| sort index
| addcoltotals label=Totals labelfield=index
If the headers were something like "week 1" "week 2" I can get what I want, but with date headers that change very time, I've tried using foreach to iterate through and caclulate the changes from one column to the next but haven't been able to come up with the right solution. Can anyone help?
... View more
01-25-2024
08:58 AM
I have a query that returns 2 values . . . | stats max(gb) as GB by metric_name metric_name GB storage_current 99 storage_limit 100 Now I want to be able to reference the current and limit values in a radial gauge, how can I covert that table into key value pairs so I can say that the value of the radial is "storage_current"? something like |eval {metric_name}={GB}
... View more
Labels
- Labels:
-
stats
08-23-2023
10:15 AM
Is there a way do do this in Dashboard Studio JSON configuratino?
... View more
08-23-2023
10:13 AM
Can this be done in Dashboard Studio JSON configuration?
... View more
08-23-2023
10:07 AM
How do I do this in Dashboard Studio JSON configuration? The documentation for that is very sparse
... View more
05-11-2023
07:50 AM
I'm having the same problem,with the search app
... View more
