- Find Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- How do I display sparklines for each day of the mo...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How do I display sparklines for each day of the month?
I am doing search for a month and want to display a sparkline for each day. Any ideas?
TIA!
David L. Crooks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@dcrooks_cbp, when you use timechart and chart for 30 days span to bucket time by default will be 1 day.
You can use | bin span=1d before your statistical command to create time bucket of 1 day each.
Following are couple of run anywhere example using Splunk's _internal index for last 30 days and daily time span.
Using chart command.
index=_internal sourcetype=splunkd earliest=-30d@d latest=now log_level!=INFO
| bin _time span=1d
| chart sparkline count by log_level
Using stats command
index=_internal sourcetype=splunkd earliest=-30d@d latest=now log_level!=INFO
| bin _time span=1d
| stats sparkline count by log_level
PS: Sparkline Documentation: https://docs.splunk.com/Documentation/Splunk/latest/Search/Addsparklinestosearchresults
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a search where I used the span=1d for a seven day range and for some reason returns eight places instead:
SPARKLINE##,1,1,0,0,0,0,0,0
I have another search that starts off working and then at the end flat lines to all zeros. It also fails to follow the span and returns over 50 places for a 30 day time range.
Any ideas?
TIA
David L. Crooks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If the difference it by one it may be due to time range i.e. earliest and latest not snapping to the beginning of the day or may be due to timezone difference. However, 50 series instead of 30 implies some other issue.
For us to assist you better, you might have to provide your existing query or try to replicate with some run anywhere example like the one in my answer based on Splunk's _internal index which should always be present in all Splunk instances.
Meanwhile, can you also test Column Chart or Statistical table to see if there are actually 50 buckets for the following or 30 buckets.
PS: I have taken out sparkline and added split by _time in the query.
index=_internal sourcetype=splunkd earliest=-30d@d latest=now log_level!=INFO
| bin _time span=1d
| stats count by _time log_level
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yes, we want to help you get to your treasure. yes we need another piece of the puzzle or at least the corner of the treasure map.
are you trying to ... | timechart <something> as <something> span=1d ...
are you trying to see the trend in each particular day?
what have you done so far that didnt work?
a sample of your data and desired results / screenshot will help great deal
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
