- Splunk Answers
- :
- Splunk Premium Solutions
- :
- Security Premium Solutions
- :
- Splunk Enterprise Security
- :
- Single value delta in glass tables ES showing up a...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Single value delta in glass tables ES showing up as N/A but drilling down shows results
I'm having an issue where building a glass table in ES for a single value delta ad-hoc search is showing up as N/A, but drilling into it shows me the visualization I want.
My search:
| inputlookup file.csv
| stats count by CASE_CLOSURETIME
| eval NewTime=strptime(CASE_CLOSURETIME,"%Y-%m-%d %H:%M:%S")
| eval _time=NewTime | sort -_time
| timechart count span=1mon
| tail 3
| sort _time
Essentially CASE_CLOSURETIME, is in the same time format as _time, and shows me the results I want with the historical trend as a single value visualization in SPL, but cannot get the same to show up in Glass Tables.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Because of the recent comment: Like the thread owner said, glass tables can only display single values. A timechart isn't part of that. See the docs for a description of what works.
Skalli
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This question was about the single-value delta visualization, right? That typically is based on timechart like data? Also: it works fine if I use the sparkline visualization. Just the single-value delta visualization fails.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Did you ever find a solution to this? Running into the same today. Feel like the delta viz expects some specific fields (value and delta or so?) rather than just a timechart.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No I did not, as someone stated below the timechart w/ lookups isn't part of the design scheme (doesn't really make sense to me why that cant be added).
The route I was told to go from Splunk was to get the data ingested into an index and then call it that way.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry, here's a better search (still the same results) but I know Glass Tables viz needs to end with timechart:
| inputlookup file.csv
| stats count by CASE_CLOSURETIME
| eval NewTime=strptime(CASE_CLOSURETIME,"%Y-%m-%d %H:%M:%S")
| eval _time=NewTime
| timechart count span=1mon
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
