https://community.splunk.com/t5/Splunk-Search/Is-sparkline-adding-any-new-information-to-my-search-results/m-p/272295#M81939 <P>About, is | stats sparkline(sum(count),1h) as sparkline,sum(count) as count by dest portion of the search just presenting the already-searched-for data in a easier to understand format,</P> <P>Yes, exactly. It just does a counting and presenting it as sparkline chart. </P> <P>The tstats get the data and stats+sparkline does counting and charting. </P> Wed, 26 Oct 2016 02:29:56 GMT inventsekar 2016-10-26T02:29:56Z https://community.splunk.com/t5/Splunk-Search/Is-sparkline-adding-any-new-information-to-my-search-results/m-p/272292#M81936 <P>Is sparkline adding any new information to the results of this search, or is it just presenting the same information in a different format?</P> <P>Here is the search:</P> <PRE><CODE>| tstats `summariesonly` count from datamodel=Authentication by _time,Authentication.dest span=1h | `drop_dm_object_name("Authentication")` | stats sparkline(sum(count),1h) as sparkline,sum(count) as count by dest | sort - count </CODE></PRE> <P>So is the sparkline command actually presenting new data from the tstats command?</P> Tue, 25 Oct 2016 17:37:13 GMT https://community.splunk.com/t5/Splunk-Search/Is-sparkline-adding-any-new-information-to-my-search-results/m-p/272292#M81936 Justin1224 2016-10-25T17:37:13Z https://community.splunk.com/t5/Splunk-Search/Is-sparkline-adding-any-new-information-to-my-search-results/m-p/272293#M81937 <P>Sparkling command just creates a sparkling (chart/graph).</P> <P>Sparklines are inline charts that appear within table cells in search results, and are designed to display time-based trends associated with the primary key of each row.</P> <P>If you are working with stats and chart searches, you can increase their usefulness and overall information density by adding sparklines to their result tables. <BR /> A sample sparkling is - <BR /> <span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/2064i139CA2B66E104434/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> <P>So is the sparkline command actually presenting new data from the tstats command? <BR /> actually, it presents the data from stats command. </P> Tue, 25 Oct 2016 17:53:34 GMT https://community.splunk.com/t5/Splunk-Search/Is-sparkline-adding-any-new-information-to-my-search-results/m-p/272293#M81937 inventsekar 2016-10-25T17:53:34Z https://community.splunk.com/t5/Splunk-Search/Is-sparkline-adding-any-new-information-to-my-search-results/m-p/272294#M81938 <P>Right so what I'm asking is, is this: | stats sparkline(sum(count),1h) as sparkline,sum(count) as count by dest portion of the search just presenting the already-searched-for data in a easier to understand format, or is it actually getting new data? Like, is it getting new data from the indexes that this: | tstats <CODE>summariesonly</CODE> count from datamodel=Authentication by _time,Authentication.dest span=1h portion of the search isn't getting?</P> Wed, 26 Oct 2016 01:43:24 GMT https://community.splunk.com/t5/Splunk-Search/Is-sparkline-adding-any-new-information-to-my-search-results/m-p/272294#M81938 Justin1224 2016-10-26T01:43:24Z https://community.splunk.com/t5/Splunk-Search/Is-sparkline-adding-any-new-information-to-my-search-results/m-p/272295#M81939 <P>About, is | stats sparkline(sum(count),1h) as sparkline,sum(count) as count by dest portion of the search just presenting the already-searched-for data in a easier to understand format,</P> <P>Yes, exactly. It just does a counting and presenting it as sparkline chart. </P> <P>The tstats get the data and stats+sparkline does counting and charting. </P> Wed, 26 Oct 2016 02:29:56 GMT https://community.splunk.com/t5/Splunk-Search/Is-sparkline-adding-any-new-information-to-my-search-results/m-p/272295#M81939 inventsekar 2016-10-26T02:29:56Z