Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Is sparkline adding any new information to my search results?

Justin1224
Communicator
‎10-25-2016 10:37 AM

Is sparkline adding any new information to the results of this search, or is it just presenting the same information in a different format?

Here is the search:

| tstats `summariesonly` count from datamodel=Authentication by _time,Authentication.dest span=1h | `drop_dm_object_name("Authentication")` | stats sparkline(sum(count),1h) as sparkline,sum(count) as count by dest | sort - count

So is the sparkline command actually presenting new data from the tstats command?

Tags (3)
0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎10-25-2016 10:53 AM

Sparkling command just creates a sparkling (chart/graph).

Sparklines are inline charts that appear within table cells in search results, and are designed to display time-based trends associated with the primary key of each row.

If you are working with stats and chart searches, you can increase their usefulness and overall information density by adding sparklines to their result tables.
A sample sparkling is -
alt text

So is the sparkline command actually presenting new data from the tstats command?
actually, it presents the data from stats command.

Preview file
1 KB
Reply

Justin1224
Communicator
‎10-25-2016 06:43 PM

Right so what I'm asking is, is this: | stats sparkline(sum(count),1h) as sparkline,sum(count) as count by dest portion of the search just presenting the already-searched-for data in a easier to understand format, or is it actually getting new data? Like, is it getting new data from the indexes that this: | tstats summariesonly count from datamodel=Authentication by _time,Authentication.dest span=1h portion of the search isn't getting?

0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎10-25-2016 07:29 PM

About, is | stats sparkline(sum(count),1h) as sparkline,sum(count) as count by dest portion of the search just presenting the already-searched-for data in a easier to understand format,

Yes, exactly. It just does a counting and presenting it as sparkline chart.

The tstats get the data and stats+sparkline does counting and charting.

0 Karma
Reply
Get Updates on the Splunk Community!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...

Splunk APM: New Product Features + Community Office Hours Recap!

Howdy Splunk Community! Over the past few months, we’ve had a lot going on in the world of Splunk Application ...

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...