topic Re: Adding sparklines to chart in Splunk Search

Adding sparklines to chart

cjenning — Mon, 28 Sep 2020 19:53:30 GMT

Hi, I have a chart that is a count of alerts by hostname and severity. I'd like to add a column that is a sparkline of alerts by time for each host. Here is my search and a screenshot of my chart with desired outcome. Help please?

index=techmon sourcetype="techmon_hpom_messages_history" | chart count by NODE_NAME,SEVERITY | addTOTALS labelfield=SEVERITY label=Total| sort -Total| head 20

Apparently need more splunk karma to post an attachment or a link so I will type out the chart here:

I want to add Sparkline after total that will graph the alerts over time. The field for the time is LOCAL_RECEIVING_TIME.

Thanks folks

Re: Adding sparklines to chart

jimodonald — Wed, 13 May 2015 00:50:36 GMT

You need to add the sparkline function to the chart command. See below.

index=techmon sourcetype="techmon_hpom_messages_history" | chart sparkline count by NODE_NAME,SEVERITY | addTOTALS labelfield=SEVERITY label=Total| sort -Total| head 20

Re: Adding sparklines to chart

cjenning — Mon, 28 Sep 2020 19:53:46 GMT

Thanks, but is there a way to do this so the sparklines are charted only by NODE_NAME while the count is by NODE_NAME and SEVERITY? In your solution I end up with 5 columns of sparklines.

Re: Adding sparklines to chart

jimodonald — Thu, 14 May 2015 01:16:14 GMT

Which field do you want to be used for the sparkline?

BTW, the docs describe how to do this pretty well.
http://docs.splunk.com/Documentation/Splunk/6.2.3/Search/AddSparklinestoSearchResults

Re: Adding sparklines to chart

cjenning — Thu, 14 May 2015 15:02:33 GMT

I want the sparkline to be used for the total column. I tried going through that documentation but it didn't help me with this problem. Anyway I formulate my search I either get 5 sparklines or a chart way off from what I'm looking for with 1 broken sparkline.