Dashboards & Visualizations
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to use sparkline in search with inputlookup?

sbimizry
Engager
‎08-06-2019 06:32 AM

Hi,
I try used it... index=indexname | chart sparkline count by field and this worked, but this not worked | inputlookup lookupname | chart sparkline count by field why and how to fix it? How to I must use sparkline with inputlookup?
Thanks

0 Karma
Reply

efloss
Engager
‎08-25-2022 02:46 PM

If anyone ever runs into this in the future and are having issues like I was, everything in this post applies but even though you are calling | inputlookup and your searching time frame doesn't apply to bringing back results, you do need to search over the range for the sparkline to form properly.  Basically for a 30 days sparkline, making sure you run the search over the last 30 days even though its not actually searching 30 days of events.

0 Karma
Reply

niketn
Legend
‎08-06-2019 09:26 AM

@sbimizry what is the field containing epoch time in your lookup? Or do you have time in lookup available as String time? In either case community would be able to assist you better if you provide field names with some sample data from your lookup file.

For example 

time          field
2019/01/01 20:08:00          value1
2019/01/01 20:09:00          value1
2019/01/01 20:10:00          value1
2019/01/01 20:08:00          value2
2019/01/01 20:10:00          value2

Then following would be the query. If time in lookup is String time following eval with strptime() would be required to convert string time to epoch. Otherwise _time can be directly overridden with | eval _time=time when time field is already epoch time.

| inputlookup lookupname 
| eval _time=strptime(time,"%Y/%m/%d %H:%M:%S")
| chart sparkline count by field
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

sbimizry
Engager
‎08-07-2019 03:00 AM

I did it, but it doesn’t work.
Example my data:

result_time                 name
1565083380               value1
1565083230               value1
1565087350               value2
1565078330               value3
1565066540               value2
0 Karma
Reply

kmaron
Motivator
‎08-06-2019 07:51 AM

A sparkline is a trend over time. Does your inputlookup include _time?

0 Karma
Reply

sbimizry
Engager
‎08-06-2019 08:16 AM

Yes, this field exists

0 Karma
Reply

chris1337
Explorer
‎08-06-2019 06:55 AM

Hi,

are you sure, that your inputlookup is delivering some fields+values? Do you use the right fieldname to count? Is this fieldname available in your lookup output?

I tested it, there are no problems right now.

Greetings Chris

0 Karma
Reply

sbimizry
Engager
‎08-06-2019 07:05 AM

Yes, I'm sure everything is correct, but they do not work

0 Karma
Reply

chris1337
Explorer
‎08-06-2019 07:08 AM

Could you plz try the following:

| inputlookup lookupfile.csv

  • Is there any output?
  • Is there a field with values?

If yes, try:
| inputlookup lookupfile.csv | chart sparkline count by field_you_are_looking_for

Greetings, Chris

0 Karma
Reply

sbimizry
Engager
‎08-06-2019 07:48 AM

Output from lookup is exist and fields too, but sparkline not work

0 Karma
Reply

chris1337
Explorer
‎08-06-2019 07:50 AM

Ok, then I don´t know. My local test here worked fine. I´m sorry, I could not help you.

Greetings Chris

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Brett Adams

In our third Spotlight feature, we're excited to shine a light on Brett—a Splunk consultant, innovative ...

Index This | What can you do to make 55,555 equal 500?

April 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...
Top