Dashboards & Visualizations

How do I display sparklines for each day of the month?

dcrooks_cbp
New Member

I am doing search for a month and want to display a sparkline for each day. Any ideas?

TIA!

David L. Crooks

0 Karma

niketn
Legend

@dcrooks_cbp, when you use timechart and chart for 30 days span to bucket time by default will be 1 day.
You can use | bin span=1d before your statistical command to create time bucket of 1 day each.

Following are couple of run anywhere example using Splunk's _internal index for last 30 days and daily time span.

Using chart command.

index=_internal sourcetype=splunkd earliest=-30d@d latest=now log_level!=INFO
| bin _time span=1d
| chart sparkline count by log_level

Using stats command

index=_internal sourcetype=splunkd earliest=-30d@d latest=now log_level!=INFO
| bin _time span=1d
| stats sparkline count by log_level

PS: Sparkline Documentation: https://docs.splunk.com/Documentation/Splunk/latest/Search/Addsparklinestosearchresults

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

dcrooks_cbp
New Member

I have a search where I used the span=1d for a seven day range and for some reason returns eight places instead:

SPARKLINE##,1,1,0,0,0,0,0,0

I have another search that starts off working and then at the end flat lines to all zeros. It also fails to follow the span and returns over 50 places for a 30 day time range.

Any ideas?
TIA
David L. Crooks

0 Karma

niketn
Legend

If the difference it by one it may be due to time range i.e. earliest and latest not snapping to the beginning of the day or may be due to timezone difference. However, 50 series instead of 30 implies some other issue.

For us to assist you better, you might have to provide your existing query or try to replicate with some run anywhere example like the one in my answer based on Splunk's _internal index which should always be present in all Splunk instances.

Meanwhile, can you also test Column Chart or Statistical table to see if there are actually 50 buckets for the following or 30 buckets.

PS: I have taken out sparkline and added split by _time in the query.

 index=_internal sourcetype=splunkd earliest=-30d@d latest=now log_level!=INFO
 | bin _time span=1d
 | stats count by _time log_level
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

adonio
Ultra Champion

yes, we want to help you get to your treasure. yes we need another piece of the puzzle or at least the corner of the treasure map.
are you trying to ... | timechart <something> as <something> span=1d ...
are you trying to see the trend in each particular day?
what have you done so far that didnt work?
a sample of your data and desired results / screenshot will help great deal

0 Karma
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...