All Apps and Add-ons

Sparkline bug ?

richgalloway
SplunkTrust
SplunkTrust

When I run this search:

index=_internal NOT "SSL Error*" AND (log_level="WARN" OR log_level="ERROR") AND 
    ("Login failed" OR "Configuration error" OR "Access is denied" OR "ICMA" OR "tenablesc" OR "odata") | 
    stats sparkline(count) AS Trend, count(_time) AS Occurs by log_level,message | where Occurs > 9 |
    eval level=case(log_level="ERROR",1,log_level="WARN",2,log_level="INFO",3) | sort level, -Occurs | 
    rename log_level AS Level, message AS Message | fields level, Level, Trend, Occurs, Message

I get these results:

alt text

However, when I try to do the same thing using this Advanced XML:

<module name="HiddenSearch" layoutPanel="panel_row1_col1" autoRun="True">
<param name="search"><![CDATA[index=_internal NOT "SSL Error*" AND (log_level="WARN" OR log_level="ERROR") AND
("Login failed" OR "Configuration error" OR "Access is denied" OR "ICMA" OR "tenablesc" OR "odata") |
stats sparkline(count) AS Trend, count(_time) AS Occurs by log_level,message | where Occurs > 9 |
eval level=case(log_level="ERROR",1,log_level="WARN",2,log_level="INFO",3) | sort level, -Occurs |
rename log_level AS Level, message AS Message | fields level, Level, Trend, Occurs, Message]]></param>
<module name="JobProgressIndicator"></module>
<module name="Pager">
results
<module name="Table">
<param name="hiddenFields">"level"</param>
<param name="name">click</param>
<module name="Redirector">
<param name="url">flashtimeline</param>
<param name="arg.q">search index=_internal AND "$click.fields.Message$"</param>
<param name="arg.earliest">$search.timeRange.earliest$</param>
<param name="arg.latest">$search.timeRange.latest$</param>
</module>
</module>
</module>
</module>

(Please forgive the poor formatting. I couldn't get the XML to display properly as code.)

I get these results:

Level   Trend   Occurs  Message
ERROR
    ##__SPARKLINE__##
0
4
1
0
5
0
5
0
5
0
5
0
0
5
0
5
0
5
0
1
4
0
5
0
5
0
5
0
4
1
0
5
0
6
0
5
0
0
5
0
5
0
5
0
1
4
0
5
0
    106
    Login failed: Username and password are required
ERROR
    ##__SPARKLINE__##
0
2
1
0
3
0
3
0
3
0
3
0
0
3
0
3
0
3
0
1
2
0
3
0
3
0
3
0
3
0
0
3
0
6
0
3
0
0
3
0
3
0
3
0
0
3
0
3
0
    66
    Login failed. Incorrect login for user: admin

This looks like a bug in Sideview Utils. How can I get the dashboard to look like the search?

---
If this reply helps you, Karma would be appreciated.
1 Solution

sideview
SplunkTrust
SplunkTrust

The sparkline() function in stats outputs a weird little multivalue format exactly as you see it in the Table. Splunk's SimpleResultsTable then picks up on that format and renders a little sparkline. You can actually do weird things by constructing the multivalue format yourself, and indeed the SimpleResultsTable can be tricked into render little sparklines.

The problem in the Sideview Table module was just that it didn't implement this convention.

However it only took about 30 minutes to implement and write a testcase, and it'll now go out in the next release of Sideview Utils. (the bulk of the sparkline feature is already implemented as a jquery plugin, and since that plugin already ships in core Splunk, this really was dead easy)

Thanks for reporting the gap in functionality. Again look for 2.6.5 when it comes out in the next few days. And if you're not on it already, there's a mailing list that just announces new Sideview Utils releases. http://sideviewapps.com/apps/sideview-utils/mailing-list/

View solution in original post

sideview
SplunkTrust
SplunkTrust

The sparkline() function in stats outputs a weird little multivalue format exactly as you see it in the Table. Splunk's SimpleResultsTable then picks up on that format and renders a little sparkline. You can actually do weird things by constructing the multivalue format yourself, and indeed the SimpleResultsTable can be tricked into render little sparklines.

The problem in the Sideview Table module was just that it didn't implement this convention.

However it only took about 30 minutes to implement and write a testcase, and it'll now go out in the next release of Sideview Utils. (the bulk of the sparkline feature is already implemented as a jquery plugin, and since that plugin already ships in core Splunk, this really was dead easy)

Thanks for reporting the gap in functionality. Again look for 2.6.5 when it comes out in the next few days. And if you're not on it already, there's a mailing list that just announces new Sideview Utils releases. http://sideviewapps.com/apps/sideview-utils/mailing-list/

cphair
Builder

Thanks for the tip that sparklines are multivalued fields. It helped me figure out that to preserve an already-created sparkline in a table in further statistical searches, you need to use stats list(YourSparklineField).

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Sideview version 2.6.5 fixed the problem.

---
If this reply helps you, Karma would be appreciated.
0 Karma

sideview
SplunkTrust
SplunkTrust

2.6.5 released today and the Table module now has full support for the stats sparkline(count) and all other sparkline permutations. http://sideviewapps.com/apps/sideview-utils

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Thanks for adding support for sparklines. I'll check it out when the new release is available.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...