Hi,
I have some data like below, and I am trying to make a weekly summary.
index week machine num_of_alert
usage wk_44 host1 0
usage wk_44 host2 0
usage wk_45 host1 10
usage wk_45 host2 2
usage wk_46 host1 0
usage wk_46 host2 1
The format of the weekly summary is like below. Basically I just wanna show the number of alerts for the last week and a column that shows the trend (total alerts of each week) for each week.
index sparkline total_alert
usage -----/ \------- 1
I tried the following search and I was hoping the Splunk can make a sparkline based on three values (wk44: 0, wk45: 12, wk46: 1) so that when I review the data for the most recent week, I can also see the history trend, unfortunately the sparkline doesn't work as I expected (spike in the middle). In the beginning I tried sparkline(ttl_alert)
, it doesn't work either.
| stats sum(num_of_alert) AS ttl_alert by index week | stats sparkline(sum(ttl_alert)) last(ttl_alert) by index
Can anyone advise how to make this work?
Thanks,
Frank
Sparkline is looking for _time in events stream...
If data is already preformatted to week you will need to convert week to time I think.
| eval _time=somethingthatconvertsweekstotime
https://answers.splunk.com/answers/179794/how-to-convert-week-of-year-number-to-a-standard-d.html
After you convert weeks to _time above, below should work.
| stats sparkline(sum(num_of_alert)) AS trend sum(num_of_alert) AS total_alert by index