Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to edit my search to incorporate a sparkline based on three values?

hchang
New Member
‎12-02-2016 06:16 AM

Hi,

I have some data like below, and I am trying to make a weekly summary.

index      week      machine    num_of_alert
usage     wk_44     host1           0
usage     wk_44     host2           0
usage     wk_45     host1          10
usage     wk_45     host2           2
usage     wk_46     host1           0
usage     wk_46     host2           1

The format of the weekly summary is like below. Basically I just wanna show the number of alerts for the last week and a column that shows the trend (total alerts of each week) for each week.

index     sparkline    total_alert
usage    -----/ \-------     1

I tried the following search and I was hoping the Splunk can make a sparkline based on three values (wk44: 0, wk45: 12, wk46: 1) so that when I review the data for the most recent week, I can also see the history trend, unfortunately the sparkline doesn't work as I expected (spike in the middle). In the beginning I tried sparkline(ttl_alert), it doesn't work either. 

| stats sum(num_of_alert) AS ttl_alert by index week | stats sparkline(sum(ttl_alert)) last(ttl_alert) by index

Can anyone advise how to make this work?

Thanks,
Frank

0 Karma
Reply

snoobzilla
Builder
‎12-02-2016 11:43 AM

Sparkline is looking for _time in events stream...

If data is already preformatted to week you will need to convert week to time I think.
| eval _time=somethingthatconvertsweekstotime

https://answers.splunk.com/answers/179794/how-to-convert-week-of-year-number-to-a-standard-d.html

After you convert weeks to _time above, below should work.

| stats sparkline(sum(num_of_alert)) AS trend sum(num_of_alert) AS total_alert by index

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...