All Apps and Add-ons
Highlighted

Sparkline bug ?

SplunkTrust
SplunkTrust

When I run this search:

index=_internal NOT "SSL Error*" AND (log_level="WARN" OR log_level="ERROR") AND 
    ("Login failed" OR "Configuration error" OR "Access is denied" OR "ICMA" OR "tenablesc" OR "odata") | 
    stats sparkline(count) AS Trend, count(_time) AS Occurs by log_level,message | where Occurs > 9 |
    eval level=case(log_level="ERROR",1,log_level="WARN",2,log_level="INFO",3) | sort level, -Occurs | 
    rename log_level AS Level, message AS Message | fields level, Level, Trend, Occurs, Message

I get these results:

alt text

However, when I try to do the same thing using this Advanced XML:

<module name="HiddenSearch" layoutPanel="panelrow1col1" autoRun="True">
<param name="search"><![CDATA[index=internal NOT "SSL Error*" AND (loglevel="WARN" OR loglevel="ERROR") AND
("Login failed" OR "Configuration error" OR "Access is denied" OR "ICMA" OR "tenablesc" OR "odata") |
stats sparkline(count) AS Trend, count(
time) AS Occurs by loglevel,message | where Occurs > 9 |
eval level=case(log
level="ERROR",1,loglevel="WARN",2,loglevel="INFO",3) | sort level, -Occurs |
rename loglevel AS Level, message AS Message | fields level, Level, Trend, Occurs, Message]]></param>
<module name="JobProgressIndicator"></module>
<module name="Pager">
results
<module name="Table">
<param name="hiddenFields">"level"</param>
<param name="name">click</param>
<module name="Redirector">
<param name="url">flashtimeline</param>
<param name="arg.q">search index=
internal AND "$click.fields.Message$"</param>
<param name="arg.earliest">$search.timeRange.earliest$</param>
<param name="arg.latest">$search.timeRange.latest$</param>
</module>
</module>
</module>
</module>

(Please forgive the poor formatting. I couldn't get the XML to display properly as code.)

I get these results:

Level   Trend   Occurs  Message
ERROR
    ##__SPARKLINE__##
0
4
1
0
5
0
5
0
5
0
5
0
0
5
0
5
0
5
0
1
4
0
5
0
5
0
5
0
4
1
0
5
0
6
0
5
0
0
5
0
5
0
5
0
1
4
0
5
0
    106
    Login failed: Username and password are required
ERROR
    ##__SPARKLINE__##
0
2
1
0
3
0
3
0
3
0
3
0
0
3
0
3
0
3
0
1
2
0
3
0
3
0
3
0
3
0
0
3
0
6
0
3
0
0
3
0
3
0
3
0
0
3
0
3
0
    66
    Login failed. Incorrect login for user: admin

This looks like a bug in Sideview Utils. How can I get the dashboard to look like the search?

---
If this reply helps you, an upvote would be appreciated.
Highlighted

Re: Sparkline bug ?

SplunkTrust
SplunkTrust

The sparkline() function in stats outputs a weird little multivalue format exactly as you see it in the Table. Splunk's SimpleResultsTable then picks up on that format and renders a little sparkline. You can actually do weird things by constructing the multivalue format yourself, and indeed the SimpleResultsTable can be tricked into render little sparklines.

The problem in the Sideview Table module was just that it didn't implement this convention.

However it only took about 30 minutes to implement and write a testcase, and it'll now go out in the next release of Sideview Utils. (the bulk of the sparkline feature is already implemented as a jquery plugin, and since that plugin already ships in core Splunk, this really was dead easy)

Thanks for reporting the gap in functionality. Again look for 2.6.5 when it comes out in the next few days. And if you're not on it already, there's a mailing list that just announces new Sideview Utils releases. http://sideviewapps.com/apps/sideview-utils/mailing-list/

View solution in original post

Highlighted

Re: Sparkline bug ?

SplunkTrust
SplunkTrust

Thanks for adding support for sparklines. I'll check it out when the new release is available.

---
If this reply helps you, an upvote would be appreciated.
0 Karma
Highlighted

Re: Sparkline bug ?

SplunkTrust
SplunkTrust

2.6.5 released today and the Table module now has full support for the stats sparkline(count) and all other sparkline permutations. http://sideviewapps.com/apps/sideview-utils

0 Karma
Highlighted

Re: Sparkline bug ?

SplunkTrust
SplunkTrust

Sideview version 2.6.5 fixed the problem.

---
If this reply helps you, an upvote would be appreciated.
0 Karma
Highlighted

Re: Sparkline bug ?

Builder

Thanks for the tip that sparklines are multivalued fields. It helped me figure out that to preserve an already-created sparkline in a table in further statistical searches, you need to use stats list(YourSparklineField).

0 Karma