How do I do sparklines based on lookup table data

MonkeyK · ‎02-12-2020

Trying to create a sparkline from data in a lookup table

monitor_user_traffic.csv has fields
-user
-traffic_dest_ip
-app
-bytes_out
-time

when I run
| inputlookup monitor_user_traffic.csv
| eval _time=time
| stats sum(bytes_out) sparkline(sum(bytes_out),1d) as data_trend by user traffic_dest_ip app

I get a value for "sum(bytes_out)" but nothing under "sparkline(sum(bytes_out),1d) as data_trend"

Is there some sort of magical way that I need to alert my data for Splunk to be able to create a sparkline?

to4kawa · ‎02-15-2020

| gentimes start=1/1/2020 increment=12h end=31/1/2020 
| rename starttime as time 
| eval user=mvindex(split("A#B#C","#"),(random() % 3)) 
| eval traffic_dest_ip=mvindex(split("X.X.X.X#Y.Y.Y.Y","#"),(random() % 2))
| eval app="win"
| eval bytes_out=random() % 200 + 10 
`comment("this is sample, | inputlookup your_csv")`
| eval _time=time 
| stats sum(bytes_out) sparkline(sum(bytes_out),1d) as data_trend by user traffic_dest_ip app

niketn · ‎02-15-2020

@MonkeyK is the time field in lookup epoch time or string time. Do convert to epoch time using strptime() function.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

MonkeyK · ‎02-26-2020

@niketn time is in epoch time.

I have since figured out that if I sort the _time field with a key of "_time" rather than "time" it works.

How do I do sparklines based on lookup table data

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases