Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to adjust dynamic timespan in sparklines?

rjdefrancisco
Explorer
‎08-03-2023 10:48 AM

I'd  love to be able to dynamically adjust the timespan in  a sparkline, as in

 

...| eval timespan=tostring(round((now()-strptime("2023-07-26T09:45:06.00","%Y-%m-%dT%H:%M:%S.%N"))/6000))+"m"
   | chart sparkline(count,timespan) as Sparkline, count by src_ip

 

However, sparklines do not accept timespans in string format, and the example above results in the following error message:

 

Error in 'chart' command: Invalid timespan specified for sparkline.

 

Any suggestions? I see that this question was asked back in 2019, but I couldn't find the answer.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

danspav
SplunkTrust
SplunkTrust
‎08-03-2023 11:24 PM

Hi @rjdefrancisco,


If you are using the chart in a dashboard, you could create a new search that calculates the timespan  and saves the value to a token. Then you can use the token in your main search:

<dashboard version="1.1" theme="light">
  <label>My Dashboard</label>
  <search>
    <query>|makeresults | eval timespan=tostring(round((now()-strptime("2023-07-26T09:45:06.00","%Y-%m-%dT%H:%M:%S.%N"))/6000))+"m"</query>
    <done>
      <set token="timespan">$result.timespan$</set>
    </done>
  </search>
  ....
</dashboard>

 

Then you can update your main search to use the token:

...
| chart sparkline(count,$timespan$) as Sparkline, count by src_ip
...

 

Your main search won't run until the token is calculated. If you want, you can set a default value when the dashboard loads by using an init block:

<init>
    <set token="timespan">60m</set>
</init>

 

Cheers,
Daniel

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

danspav
SplunkTrust
SplunkTrust
‎08-03-2023 11:24 PM

Hi @rjdefrancisco,


If you are using the chart in a dashboard, you could create a new search that calculates the timespan  and saves the value to a token. Then you can use the token in your main search:

<dashboard version="1.1" theme="light">
  <label>My Dashboard</label>
  <search>
    <query>|makeresults | eval timespan=tostring(round((now()-strptime("2023-07-26T09:45:06.00","%Y-%m-%dT%H:%M:%S.%N"))/6000))+"m"</query>
    <done>
      <set token="timespan">$result.timespan$</set>
    </done>
  </search>
  ....
</dashboard>

 

Then you can update your main search to use the token:

...
| chart sparkline(count,$timespan$) as Sparkline, count by src_ip
...

 

Your main search won't run until the token is calculated. If you want, you can set a default value when the dashboard loads by using an init block:

<init>
    <set token="timespan">60m</set>
</init>

 

Cheers,
Daniel

0 Karma
Reply
Solved! Jump to solution

rjdefrancisco
Explorer
‎08-04-2023 10:09 AM

Thank you, @danspav! Your proposed solution works great.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...