topic Re: Using a sparkline with tstats in Dashboards & Visualizations

How to use a sparkline with tstats

Runals — Thu, 24 Mar 2022 04:04:57 GMT

I'd like to use a sparkline for quick volume context in conjunction with a tstats command because of its speed. If the following works

index=foo | stats sparkline

I would have assumed this would work as well

| tstats count where index=foo by _time | stats sparkline

I've tried a few variations of the tstats command. In the end what I generally get is a straight line which I'm interpreting to mean it is showing me there is a 'count' event for that time. If I use span in the tstats 'by' command the straight line becomes jagged but consistently so.

Re: Using a sparkline with tstats

rjthibod — Tue, 14 Feb 2017 14:08:44 GMT

Do you see anything different if you add span=1h or some other relevant span increment to the tstats search command?

Re: Using a sparkline with tstats

justinatpnnl — Tue, 14 Feb 2017 14:37:13 GMT

If you specify the span in tstats, as well as adding specifics to the sparkline command, I think you'll have better luck. Here is an example search for the past 24 hours:

| tstats count where index=foo by _time span=10m | stats sparkline(sum(count), 10m) as Volume

Because | tstats returns tabled results instead of events, the default for sparkline just shows a count of 1 for each row. By specifying a sum for count, you should get better results.

Re: Using a sparkline with tstats

Runals — Tue, 14 Feb 2017 17:23:43 GMT

The sparkline(sum(count)) bit was the trick! Adding the span and time piece in the sparkline arguments isn't specifically needed though certainly they have their place. Thanks.

Re: Using a sparkline with tstats

justinatpnnl — Tue, 14 Feb 2017 17:30:02 GMT

No problem, glad I could help! I like adding the time elements in to make sure I get what I'm expecting, but certainly not required.

Re: Using a sparkline with tstats

haraksin — Fri, 08 Jan 2021 08:24:28 GMT

If you already have your tstats command outputting the format of events you want, you can just tack on this to the tstats command if you don't already have a BY clause:

by _time span=10m | eventstats sparkline(sum(count), 10m) | fields - _time

If you already do have a BY clause, just tack on the _time field and span argument. Then your results will have a sparkline just like as above, except that you don't need to change your tstats to use prestats or any other changes to avoid a double-transforming command.

Re: Using a sparkline with tstats

joshuapetitt — Thu, 24 Mar 2022 02:18:12 GMT

This is what I needed for making a sparkline on a Single Value visualization. Worked very well!