Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to adjust dynamic timespan in sparklines?

rjdefrancisco
Explorer
‎08-03-2023 10:48 AM

I'd  love to be able to dynamically adjust the timespan in  a sparkline, as in

 

...| eval timespan=tostring(round((now()-strptime("2023-07-26T09:45:06.00","%Y-%m-%dT%H:%M:%S.%N"))/6000))+"m"
   | chart sparkline(count,timespan) as Sparkline, count by src_ip

 

However, sparklines do not accept timespans in string format, and the example above results in the following error message:

 

Error in 'chart' command: Invalid timespan specified for sparkline.

 

Any suggestions? I see that this question was asked back in 2019, but I couldn't find the answer.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

danspav
SplunkTrust
SplunkTrust
‎08-03-2023 11:24 PM

Hi @rjdefrancisco,


If you are using the chart in a dashboard, you could create a new search that calculates the timespan  and saves the value to a token. Then you can use the token in your main search:

<dashboard version="1.1" theme="light">
  <label>My Dashboard</label>
  <search>
    <query>|makeresults | eval timespan=tostring(round((now()-strptime("2023-07-26T09:45:06.00","%Y-%m-%dT%H:%M:%S.%N"))/6000))+"m"</query>
    <done>
      <set token="timespan">$result.timespan$</set>
    </done>
  </search>
  ....
</dashboard>

 

Then you can update your main search to use the token:

...
| chart sparkline(count,$timespan$) as Sparkline, count by src_ip
...

 

Your main search won't run until the token is calculated. If you want, you can set a default value when the dashboard loads by using an init block:

<init>
    <set token="timespan">60m</set>
</init>

 

Cheers,
Daniel

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

danspav
SplunkTrust
SplunkTrust
‎08-03-2023 11:24 PM

Hi @rjdefrancisco,


If you are using the chart in a dashboard, you could create a new search that calculates the timespan  and saves the value to a token. Then you can use the token in your main search:

<dashboard version="1.1" theme="light">
  <label>My Dashboard</label>
  <search>
    <query>|makeresults | eval timespan=tostring(round((now()-strptime("2023-07-26T09:45:06.00","%Y-%m-%dT%H:%M:%S.%N"))/6000))+"m"</query>
    <done>
      <set token="timespan">$result.timespan$</set>
    </done>
  </search>
  ....
</dashboard>

 

Then you can update your main search to use the token:

...
| chart sparkline(count,$timespan$) as Sparkline, count by src_ip
...

 

Your main search won't run until the token is calculated. If you want, you can set a default value when the dashboard loads by using an init block:

<init>
    <set token="timespan">60m</set>
</init>

 

Cheers,
Daniel

0 Karma
Reply
Solved! Jump to solution

rjdefrancisco
Explorer
‎08-04-2023 10:09 AM

Thank you, @danspav! Your proposed solution works great.

0 Karma
Reply
Get Updates on the Splunk Community!

Changes to Splunk Instructor-Led Training Completion Criteria

We’re excited to share an update to our instructor-led training program that enhances the learning experience ...

Stay Connected: Your Guide to January Tech Talks, Office Hours, and Webinars!

❄️ Welcome the new year with our January lineup of Community Office Hours, Tech Talks, and Webinars! &#x1f389; ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...