So I'm planning to normalize latency data for a network.
Search:
index=_* OR index=* sourcetype="defaut log"| rename Parent_Host as A , Child_Host as B |eventstats min(In) as minIn max(In) as maxIn by A B|eval val = (In-minIn)/(maxIn-minIn) |stats sparkline(avg(val)) as In by A B
Now I have normalized the data between 0-1 using the eventstats and eval, but can't figure out how to display that normalized data in the sparkline as stats sparkline(val) as In by A B
throws an error and doing stats sparkline(avg(val)) as In by A B
is not same as printing the sparkline of the values.
You don't need the () for sparkline. (docs)
Try like this:
index=_* OR index=* sourcetype="defaut log"| rename Parent_Host as A , Child_Host as B |eventstats min(In) as minIn max(In) as maxIn by A B|eval val = (In-minIn)/(maxIn-minIn) | stats sparkline avg(val) as In by A B