When I run this search:
index=_internal NOT "SSL Error*" AND (log_level="WARN" OR log_level="ERROR") AND
("Login failed" OR "Configuration error" OR "Access is denied" OR "ICMA" OR "tenablesc" OR "odata") |
stats sparkline(count) AS Trend, count(_time) AS Occurs by log_level,message | where Occurs > 9 |
eval level=case(log_level="ERROR",1,log_level="WARN",2,log_level="INFO",3) | sort level, -Occurs |
rename log_level AS Level, message AS Message | fields level, Level, Trend, Occurs, Message
I get these results:
However, when I try to do the same thing using this Advanced XML:
<module name="HiddenSearch" layoutPanel="panel_row1_col1" autoRun="True">
<param name="search"><![CDATA[index=_internal NOT "SSL Error*" AND (log_level="WARN" OR log_level="ERROR") AND
("Login failed" OR "Configuration error" OR "Access is denied" OR "ICMA" OR "tenablesc" OR "odata") |
stats sparkline(count) AS Trend, count(_time) AS Occurs by log_level,message | where Occurs > 9 |
eval level=case(log_level="ERROR",1,log_level="WARN",2,log_level="INFO",3) | sort level, -Occurs |
rename log_level AS Level, message AS Message | fields level, Level, Trend, Occurs, Message]]></param>
<module name="JobProgressIndicator"></module>
<module name="Pager">
(Please forgive the poor formatting. I couldn't get the XML to display properly as code.)
I get these results:
Level Trend Occurs Message
ERROR
##__SPARKLINE__##
0
4
1
0
5
0
5
0
5
0
5
0
0
5
0
5
0
5
0
1
4
0
5
0
5
0
5
0
4
1
0
5
0
6
0
5
0
0
5
0
5
0
5
0
1
4
0
5
0
106
Login failed: Username and password are required
ERROR
##__SPARKLINE__##
0
2
1
0
3
0
3
0
3
0
3
0
0
3
0
3
0
3
0
1
2
0
3
0
3
0
3
0
3
0
0
3
0
6
0
3
0
0
3
0
3
0
3
0
0
3
0
3
0
66
Login failed. Incorrect login for user: admin
This looks like a bug in Sideview Utils. How can I get the dashboard to look like the search?
The sparkline() function in stats outputs a weird little multivalue format exactly as you see it in the Table. Splunk's SimpleResultsTable then picks up on that format and renders a little sparkline. You can actually do weird things by constructing the multivalue format yourself, and indeed the SimpleResultsTable can be tricked into render little sparklines.
The problem in the Sideview Table module was just that it didn't implement this convention.
However it only took about 30 minutes to implement and write a testcase, and it'll now go out in the next release of Sideview Utils. (the bulk of the sparkline feature is already implemented as a jquery plugin, and since that plugin already ships in core Splunk, this really was dead easy)
Thanks for reporting the gap in functionality. Again look for 2.6.5 when it comes out in the next few days. And if you're not on it already, there's a mailing list that just announces new Sideview Utils releases. http://sideviewapps.com/apps/sideview-utils/mailing-list/
The sparkline() function in stats outputs a weird little multivalue format exactly as you see it in the Table. Splunk's SimpleResultsTable then picks up on that format and renders a little sparkline. You can actually do weird things by constructing the multivalue format yourself, and indeed the SimpleResultsTable can be tricked into render little sparklines.
The problem in the Sideview Table module was just that it didn't implement this convention.
However it only took about 30 minutes to implement and write a testcase, and it'll now go out in the next release of Sideview Utils. (the bulk of the sparkline feature is already implemented as a jquery plugin, and since that plugin already ships in core Splunk, this really was dead easy)
Thanks for reporting the gap in functionality. Again look for 2.6.5 when it comes out in the next few days. And if you're not on it already, there's a mailing list that just announces new Sideview Utils releases. http://sideviewapps.com/apps/sideview-utils/mailing-list/
Thanks for the tip that sparklines are multivalued fields. It helped me figure out that to preserve an already-created sparkline in a table in further statistical searches, you need to use stats list(YourSparklineField).
Sideview version 2.6.5 fixed the problem.
2.6.5 released today and the Table module now has full support for the stats sparkline(count)
and all other sparkline permutations. http://sideviewapps.com/apps/sideview-utils
Thanks for adding support for sparklines. I'll check it out when the new release is available.