Dashboards & Visualizations

How to edit my search to incorporate a sparkline based on three values?

hchang
New Member

Hi,

I have some data like below, and I am trying to make a weekly summary.

index      week      machine    num_of_alert
usage     wk_44     host1           0
usage     wk_44     host2           0
usage     wk_45     host1          10
usage     wk_45     host2           2
usage     wk_46     host1           0
usage     wk_46     host2           1

The format of the weekly summary is like below. Basically I just wanna show the number of alerts for the last week and a column that shows the trend (total alerts of each week) for each week.

index     sparkline    total_alert
usage    -----/ \-------     1

I tried the following search and I was hoping the Splunk can make a sparkline based on three values (wk44: 0, wk45: 12, wk46: 1) so that when I review the data for the most recent week, I can also see the history trend, unfortunately the sparkline doesn't work as I expected (spike in the middle). In the beginning I tried sparkline(ttl_alert), it doesn't work either.

| stats sum(num_of_alert) AS ttl_alert by index week | stats sparkline(sum(ttl_alert)) last(ttl_alert) by index

Can anyone advise how to make this work?

Thanks,
Frank

0 Karma

snoobzilla
Builder

Sparkline is looking for _time in events stream...

If data is already preformatted to week you will need to convert week to time I think.
| eval _time=somethingthatconvertsweekstotime

https://answers.splunk.com/answers/179794/how-to-convert-week-of-year-number-to-a-standard-d.html

After you convert weeks to _time above, below should work.

| stats sparkline(sum(num_of_alert)) AS trend sum(num_of_alert) AS total_alert by index

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...