Hello Fellow Splunkers,

I have been trying the following query to pull the ES notified hosts and bring a sparkline of the host's log counts to reduce the amount of false positives on the "Event logging service has shut down" event alerts.

EventCode=1100 OR EventCode=1074 OR EventCode=6006 OR EventCode=6008 index=wineventlog sourcetype=WinEventLog 
    [ search index=notable source="Audit - Anomalous Audit Trail Activity Detected - Rule" 
    | stats count by dest_nt_host 
    | fields - count 
    | rename dest_nt_host as search 
    | format] 
| convert ctime(_time) 
| eval tem = "* " ._time." - " .EventCode. " - " .Message 
| sort tem 
| stats values(tem) as tem by host 
| search tem=*1100* 
| join host 
    [ search index=wineventlog sourcetype=WinEventLog 
        [ search index=notable source="Audit - Anomalous Audit Trail Activity Detected - Rule" 
        | stats count by dest_nt_host 
        | fields - count 
        | rename dest_nt_host as search 
        | format] 
    | stats sparkline(count) as sparkline by host ]

However, I have a problem applying a Sparkline next to my table. In which the supposed sparkline chart returns a result of:

##__SPARKLINE__##,146,158,201,172,161,172,185,180,154,2361,986,202,570,192,2284,999,200,931,427,549,177,330,382,142,2448,3695,566,3409,490,3483,4671,4927,3000,3087,2873,159,280,139,113,164,132,141,135,151,186,176,140,146,88

I have tried adding the following line which was mentioned in previous similar questions at the end of my query,

makemv delim="," setsv=true sparkline

However, still end up having a string problem for the sparkline.

Any and all suggestions are welcome,
Regards,