Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Is there a way to add Sparklines within my timechart search?

jhayIV
Engager
‎01-06-2017 05:32 AM

Is there a way to implement sparklines into the following query in the last column here?

table Name SystemRole OS Site Serial_Number IsVirtual Domain Total_Physical_Memory NumberOfProcessors _time |timechart span=1d count(*)|rename "count(Name)" as Servers|eval _time=strftime(_time, "%A")|foreach count*[eval <> = round('<>'/Servers*100,2)]|rename "count(Domain)" as "Domain Compliance"|rename "count(OS)" as "OS Compliance","_time" as "Day","count(IsVirtual)" as "Virtual Flag Compliance","count(NumberOfProcessors)" as "Processor Compliance","count(Serial_Number)" as "Serial Number Compliance","count(Site)" as "Site Compliance","count(SystemRole)" as "System Role Compliance","count(Total_Physical_Memory)" as "Memory Compliance" |fields - Servers,_span*|transpose header_field=Day

Quick view of column would like Sparkline to be at the end

column                    Tuesday   Wednesday   Thursday
Domain Compliance          98.28      98.47     98.58
Memory Compliance          97.7    97.81        97.97
OS Compliance              96.29      96.17     95.89
Processor Compliance        11.23     11.56     12.29
Serial Number Compliance    98.73     98.83     99.03
Site Compliance          97.89    97.67     97.54
System Role Compliance    85.99   90.66     94.03
Virtual Flag Compliance  100        100       100

Thanks for any help

Tags (3)
0 Karma
Reply

niketn
Legend
‎01-06-2017 05:07 PM

Sparklines can be added to statistical reporting functions (like chart, stats, timechart) only for the count command and it draws the same based on time span. It shows total count in the Table column and shows time span in the sparkline. If you want to show time span also in tabular as well you might have to separate the queries as two adjacent panels. Sparkline details and example can be found in the following Splunk documentation: http://docs.splunk.com/Documentation/Splunk/latest/Search/Addsparklinestosearchresults

Following is an example of the same. I have also applied JS script from Layout Customization: Panel Width example in Splunk 6.x Dashboard Examples App, in order to have the two tables occupy 70%-30% of the entire row.

Dashboard Simple XML Code

<dashboard script="customtablewidth7030.js">
  <label>Sparkline with Details</label>
  <description>Sparkline</description>
  <row>
    <panel>
      <title>Stats by Month Date</title>
      <table>
        <search id="sparklineBaseSearch">
          <query>index=_internal date_mday=* 
| chart count over sourcetype by date_mday | sort sourcetype</query>
          <earliest>@w0</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
    <panel>
      <title>Sparkline</title>
      <table>
        <search>
          <query>index=_internal date_mday=* 
| chart sparkline count as Total over sourcetype
| sort sourcetype
| fields - sourcetype count</query>
          <earliest>@w0</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
</dashboard>

JS extension code for customtablewidth7030.js included in dashabord (must be placed in $SPLUNK_HOME\etc\app&lt;YourAppName>\appserver\static folder. It requires splunkd restart and cleaning of internet browser cache)

require(['jquery', 'splunkjs/mvc/simplexml/ready!'], function($) {

    // Grab the DOM for the first dashboard row
    var firstRow = $('.dashboard-row').first();

    // Get the dashboard cells (which are the parent elements of the actual panels and define the panel size)
    var panelCells = $(firstRow).children('.dashboard-cell');

    // Adjust the cells' width
    $(panelCells[0]).css('width', '70%');
    $(panelCells[1]).css('width', '30%');
});

PS: I have not used Post Processing. But should be feasible.

As an alternate to Sparkline you should also explore Horizon Chart Custom Visualization which will show adjacent numeric difference and also overlaid sparkline series for various statistical splits over the same time frame.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

cmerriman
Super Champion
‎01-06-2017 07:33 AM

I'm not sure sparklines are what you're looking for. Are you looking for a column at the end that shows a line of values for Tuesday Wednesday and Thursday for each of the columns (Domain Compliance, Memory Compliance, etc.)? For example, at the end of Domain compliance row, there would be a column and a little line graph in it that was almost a straight line with three data points showing 98.28, 98.47 and 98.58? I'm not sure that sparkline will get you that.

I did edit the syntax a hair so that in your timechart it isn't naming everything as count(Name), etc. I know you're renaming everything, but it just made it cleaner, in my opinion.

|table Name SystemRole OS Site Serial_Number IsVirtual Domain Total_Physical_Memory NumberOfProcessors _time |timechart span=1d count(*) as *|rename "Name" as Servers|eval _time=strftime(_time, "%A")|foreach count[eval <> = round('<>'/Servers*100,2)]|rename "Domain" as "Domain Compliance"|rename "OS" as "OS Compliance","_time" as "Day","IsVirtual" as "Virtual Flag Compliance","NumberOfProcessors" as "Processor Compliance","Serial_Number" as "Serial Number Compliance","Site" as "Site Compliance","SystemRole" as "System Role Compliance","Total_Physical_Memory" as "Memory Compliance" |fields - Servers,_span*|transpose header_field=Day
0 Karma
Reply

jhayIV
Engager
‎01-06-2017 08:21 AM

Yes I would like some kind of line graph at the end of the chart.
Thanks for the rename

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...