Dashboards & Visualizations

How to use a sparkline with tstats

Runals
Motivator

I'd like to use a sparkline for quick volume context in conjunction with a tstats command because of its speed. If the following works

index=foo | stats sparkline

I would have assumed this would work as well

| tstats count where index=foo by _time | stats sparkline

I've tried a few variations of the tstats command. In the end what I generally get is a straight line which I'm interpreting to mean it is showing me there is a 'count' event for that time. If I use span in the tstats 'by' command the straight line becomes jagged but consistently so.

Labels (1)
0 Karma
1 Solution

justinatpnnl
Communicator

If you specify the span in tstats, as well as adding specifics to the sparkline command, I think you'll have better luck. Here is an example search for the past 24 hours:

| tstats count where index=foo by _time span=10m | stats sparkline(sum(count), 10m) as Volume

Because | tstats returns tabled results instead of events, the default for sparkline just shows a count of 1 for each row. By specifying a sum for count, you should get better results.

View solution in original post

haraksin
Path Finder

If you already have your tstats command outputting the format of events you want, you can just tack on this to the tstats command if you don't already have a BY clause: 

 

by _time span=10m
| eventstats sparkline(sum(count), 10m)
| fields - _time

 

If you already do have a BY clause, just tack on the _time field and span argument. Then your results will have a sparkline just like as above, except that you don't need to change your tstats to use prestats or any other changes to avoid a double-transforming command.

joshuapetitt
Path Finder

This is what I needed for making a sparkline on a Single Value visualization.  Worked very well!

0 Karma

justinatpnnl
Communicator

If you specify the span in tstats, as well as adding specifics to the sparkline command, I think you'll have better luck. Here is an example search for the past 24 hours:

| tstats count where index=foo by _time span=10m | stats sparkline(sum(count), 10m) as Volume

Because | tstats returns tabled results instead of events, the default for sparkline just shows a count of 1 for each row. By specifying a sum for count, you should get better results.

Runals
Motivator

The sparkline(sum(count)) bit was the trick! Adding the span and time piece in the sparkline arguments isn't specifically needed though certainly they have their place. Thanks.

0 Karma

justinatpnnl
Communicator

No problem, glad I could help! I like adding the time elements in to make sure I get what I'm expecting, but certainly not required.

0 Karma

rjthibod
Champion

Do you see anything different if you add span=1h or some other relevant span increment to the tstats search command?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...