https://community.splunk.com/t5/Splunk-Search/Table-with-Sparklines-for-multiple-key-value-pairs/m-p/110452#M28887 <P>sure enough, it works with splitting it into bins. Thanks!</P> Mon, 30 Mar 2015 11:25:01 GMT giovere 2015-03-30T11:25:01Z https://community.splunk.com/t5/Splunk-Search/Table-with-Sparklines-for-multiple-key-value-pairs/m-p/110448#M28883 <P>Hi All</P> <P>Logged events look something like this:</P> <PRE><CODE>10:00 ComponentA: 3 ComponentB: 5 ComponentC: 8 10:01 ComponentA: 3 ComponentB: 4 ComponentC: 10 10:02 ComponentA: 5 ComponentB: 2 ComponentC: 12 </CODE></PRE> <P>Number of components is fixed, ideally I’d like to have a table with the latest value for component and a sparkline for the past 30 minutes or so.</P> <PRE><CODE>Component | Value| Sparkline ComponentA | 5 | Sparkline(3,3,5) ComponentB | 2 | Sparkline(5,4,2) ComponentC | 12 | Sparkline(8,10,12) </CODE></PRE> <P>(Optional) Bonus sub-step would be adding coloring map per row (Component)? Found in documentation a way to define it per table, but each Component has different threshold.</P> <P>Any help much appreciated.<BR /> Thanks in advance</P> Fri, 27 Mar 2015 10:34:02 GMT https://community.splunk.com/t5/Splunk-Search/Table-with-Sparklines-for-multiple-key-value-pairs/m-p/110448#M28883 giovere 2015-03-27T10:34:02Z https://community.splunk.com/t5/Splunk-Search/Table-with-Sparklines-for-multiple-key-value-pairs/m-p/110449#M28884 <P>This should do the trick</P> <PRE><CODE>your base search giving fields _time, ComponentA, ComponentB, ComponentC | fields _time, ComponentA, ComponentB, ComponentC | untable _time Component Value | stats latest(Value) as Value sparkline as Sparkline by Component </CODE></PRE> Fri, 27 Mar 2015 20:10:03 GMT https://community.splunk.com/t5/Splunk-Search/Table-with-Sparklines-for-multiple-key-value-pairs/m-p/110449#M28884 somesoni2 2015-03-27T20:10:03Z https://community.splunk.com/t5/Splunk-Search/Table-with-Sparklines-for-multiple-key-value-pairs/m-p/110450#M28885 <P>Thanks, this works quite well, except one thing. Is there a way to get sparkline(latest(Value),8h)? Apparently by default it supports aggregation functions like avg, mean, max etc., but what I'd rather have is a latest value for a given span.</P> Sat, 28 Mar 2015 07:16:51 GMT https://community.splunk.com/t5/Splunk-Search/Table-with-Sparklines-for-multiple-key-value-pairs/m-p/110450#M28885 giovere 2015-03-28T07:16:51Z https://community.splunk.com/t5/Splunk-Search/Table-with-Sparklines-for-multiple-key-value-pairs/m-p/110451#M28886 <P>You cant do this for specific aggregates unluss you rework your whole search. Otherwise you can add<BR /> ... | bin _time span=8h | ..</P> <P>Thats if I understand you're wanting to group all these together into 8h buckets.</P> Sat, 28 Mar 2015 10:38:54 GMT https://community.splunk.com/t5/Splunk-Search/Table-with-Sparklines-for-multiple-key-value-pairs/m-p/110451#M28886 esix_splunk 2015-03-28T10:38:54Z https://community.splunk.com/t5/Splunk-Search/Table-with-Sparklines-for-multiple-key-value-pairs/m-p/110452#M28887 <P>sure enough, it works with splitting it into bins. Thanks!</P> Mon, 30 Mar 2015 11:25:01 GMT https://community.splunk.com/t5/Splunk-Search/Table-with-Sparklines-for-multiple-key-value-pairs/m-p/110452#M28887 giovere 2015-03-30T11:25:01Z https://community.splunk.com/t5/Splunk-Search/Table-with-Sparklines-for-multiple-key-value-pairs/m-p/110453#M28888 <P>It works for me as well. thanks</P> Thu, 04 Jun 2015 10:41:08 GMT https://community.splunk.com/t5/Splunk-Search/Table-with-Sparklines-for-multiple-key-value-pairs/m-p/110453#M28888 sunnyparmar 2015-06-04T10:41:08Z