Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Feeding Sparkline with Data Model

splunkbeginner2
Path Finder
‎06-05-2014 02:50 PM

Hello,

for a dashboard I will need to display a sparkline with entries blocked / Accessed by an ACL from the Cisco IOS app. Because of the availability of data models I would like to use them to access the data. Unfortunately I am currently not able to create a sparkline that displays what i wanted.

I am able to get 9 charts that can display when each of the values was reached
(e.g.
2 hits at: 10:10, 10:30,10:40
3 hits at 10:20,
4 hits at: 10:50, 11:00
)

[All numbers displayed in a graph]

How could I get this data into a single graph? 

| pivot Cisco_IOS_Event Blocked_Access_List_Event Blocked_Access_List_Event AS "val" SPLITROW _time AS _time PERIOD auto SORT 0 _time ROWSUMMARY 0 COLSUMMARY 0 NUMCOLS 0 SHOWOTHER 1  |                        eval count=val | eval name="name" | eval Time=_time|chart sparkline by val

Thanks for your help!

Regards!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

splunkbeginner2
Path Finder
‎06-05-2014 04:14 PM

I fixed it. The solution was the following:

  1. I debugged the source of the Cisco IOS App. They use saved searches.
  2. Open Search in Splunk -> Settings->Searches --> Cisco uses the old notation.
  3. Using the old scheme of notation:

search index="cisco-firewall" action="blocked" | chart sparklines

Simple, but works. However I have to admit that I would have preferred a solution with the data model.

Best Regards!

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

splunkbeginner2
Path Finder
‎06-05-2014 04:14 PM

I fixed it. The solution was the following:

  1. I debugged the source of the Cisco IOS App. They use saved searches.
  2. Open Search in Splunk -> Settings->Searches --> Cisco uses the old notation.
  3. Using the old scheme of notation:

search index="cisco-firewall" action="blocked" | chart sparklines

Simple, but works. However I have to admit that I would have preferred a solution with the data model.

Best Regards!

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...