![]() if you use the Compared to field in the Format menu, it will override the span command you specified in the search string. You can change the trend time window in the Format menu's General settings panel or by adjusting the span parameter for timechart. By default, the trend indicator value evaluates to the difference between the two most recent values in the results. The trend indicator is composed of a number and an arrow to represent what happened most recently in the data.ĭepending on data behavior, the trend arrow can point up, down, or directly to the side to show no change. It shows recent data behavior over a customizable time range. Using the time range picker to select Today means that the sparkline shows data changes over the past twenty-four hours.Ī trend indicator appears to the right of a single value generated with the timechart command. This visualization shows results for the same search over the past day's data. Using the time range picker to select Week to date means that the sparkline reflects the data changes over the last seven days. This visualization shows results for a search over the past week's data. It shows increases and decreases in a metric over the time range you specify in a search. ![]() Queries to generate a sparkline and trend indicatorĪ sparkline appears by default below a single value generated with the timechart command. A query using timechart generates a visualization showing the most recent result within that range.įor details about the stats command, see stats in the Search Reference.įor details about the timechart command, see timechart in the Search Reference. A query using stats results in a visualization showing the aggregated total of results in the time range. The time range picker and the query command work together to generate the results for a single value visualization.In this case, the single value visualization uses the value in the first cell of the results table. In the Dashboard Editor, you can select single value visualizations even if a search returns multiple values. Search for a single value to avoid unexpected results in the visualization.It is important to set up the single value query that best drives the visualization that you expect. Queries and time ranges for single values Index = _internal source = "*splunkd.log" log_level = "error" | stats count As an example, this query and visualization use stats to tally all errors in a given week. ![]() If you use the stats command to generate a single value, the visualization shows the aggregated value without a trend indicator or sparkline. If you use the stats command as part of a full timechart query, the visualization does not include a sparkline or trend indicator. Using timechart means that time series data becomes available to sparkline and trend indicator processing. To access sparklines and trend indicators, it is important that the search includes the timechart command. Index=_internal source="*splunkd.log" log_level="error" | timechart count This search and visualization use timechart to track daily errors for a Splunk deployment. Single value visualizations work best for queries that create a time series chart using the timechart command or aggregate data using the stats command. Learn how to write a query to generate a single value visualization. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |