Is there a way to implement sparklines into the following query in the last column here?
table Name SystemRole OS Site Serial_Number IsVirtual Domain Total_Physical_Memory NumberOfProcessors _time |timechart span=1d count(*)|rename "count(Name)" as Servers|eval _time=strftime(_time, "%A")|foreach count*[eval <> = round('<>'/Servers*100,2)]|rename "count(Domain)" as "Domain Compliance"|rename "count(OS)" as "OS Compliance","_time" as "Day","count(IsVirtual)" as "Virtual Flag Compliance","count(NumberOfProcessors)" as "Processor Compliance","count(Serial_Number)" as "Serial Number Compliance","count(Site)" as "Site Compliance","count(SystemRole)" as "System Role Compliance","count(Total_Physical_Memory)" as "Memory Compliance" |fields - Servers,_span*|transpose header_field=Day
Quick view of column would like Sparkline to be at the end
column Tuesday Wednesday Thursday
Domain Compliance 98.28 98.47 98.58
Memory Compliance 97.7 97.81 97.97
OS Compliance 96.29 96.17 95.89
Processor Compliance 11.23 11.56 12.29
Serial Number Compliance 98.73 98.83 99.03
Site Compliance 97.89 97.67 97.54
System Role Compliance 85.99 90.66 94.03
Virtual Flag Compliance 100 100 100
Thanks for any help
Sparklines can be added to statistical reporting functions (like chart, stats, timechart) only for the count command and it draws the same based on time span. It shows total count in the Table column and shows time span in the sparkline. If you want to show time span also in tabular as well you might have to separate the queries as two adjacent panels. Sparkline details and example can be found in the following Splunk documentation: http://docs.splunk.com/Documentation/Splunk/latest/Search/Addsparklinestosearchresults
Following is an example of the same. I have also applied JS script from Layout Customization: Panel Width example in Splunk 6.x Dashboard Examples App, in order to have the two tables occupy 70%-30% of the entire row.
Dashboard Simple XML Code
<dashboard script="customtablewidth7030.js">
<label>Sparkline with Details</label>
<description>Sparkline</description>
<row>
<panel>
<title>Stats by Month Date</title>
<table>
<search id="sparklineBaseSearch">
<query>index=_internal date_mday=*
| chart count over sourcetype by date_mday | sort sourcetype</query>
<earliest>@w0</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="percentagesRow">false</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>
</panel>
<panel>
<title>Sparkline</title>
<table>
<search>
<query>index=_internal date_mday=*
| chart sparkline count as Total over sourcetype
| sort sourcetype
| fields - sourcetype count</query>
<earliest>@w0</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="percentagesRow">false</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>
</panel>
</row>
</dashboard>
JS extension code for customtablewidth7030.js included in dashabord (must be placed in $SPLUNK_HOME\etc\app<YourAppName>\appserver\static folder. It requires splunkd restart and cleaning of internet browser cache)
require(['jquery', 'splunkjs/mvc/simplexml/ready!'], function($) {
// Grab the DOM for the first dashboard row
var firstRow = $('.dashboard-row').first();
// Get the dashboard cells (which are the parent elements of the actual panels and define the panel size)
var panelCells = $(firstRow).children('.dashboard-cell');
// Adjust the cells' width
$(panelCells[0]).css('width', '70%');
$(panelCells[1]).css('width', '30%');
});
PS: I have not used Post Processing. But should be feasible.
As an alternate to Sparkline you should also explore Horizon Chart Custom Visualization which will show adjacent numeric difference and also overlaid sparkline series for various statistical splits over the same time frame.
I'm not sure sparklines are what you're looking for. Are you looking for a column at the end that shows a line of values for Tuesday Wednesday and Thursday for each of the columns (Domain Compliance, Memory Compliance, etc.)? For example, at the end of Domain compliance row, there would be a column and a little line graph in it that was almost a straight line with three data points showing 98.28, 98.47 and 98.58? I'm not sure that sparkline will get you that.
I did edit the syntax a hair so that in your timechart it isn't naming everything as count(Name), etc. I know you're renaming everything, but it just made it cleaner, in my opinion.
|table Name SystemRole OS Site Serial_Number IsVirtual Domain Total_Physical_Memory NumberOfProcessors _time |timechart span=1d count(*) as *|rename "Name" as Servers|eval _time=strftime(_time, "%A")|foreach count[eval <> = round('<>'/Servers*100,2)]|rename "Domain" as "Domain Compliance"|rename "OS" as "OS Compliance","_time" as "Day","IsVirtual" as "Virtual Flag Compliance","NumberOfProcessors" as "Processor Compliance","Serial_Number" as "Serial Number Compliance","Site" as "Site Compliance","SystemRole" as "System Role Compliance","Total_Physical_Memory" as "Memory Compliance" |fields - Servers,_span*|transpose header_field=Day
Yes I would like some kind of line graph at the end of the chart.
Thanks for the rename