Re: How to use sparkline in search with inputlooku...

sbimizry · ‎08-06-2019

Hi,
I try used it... index=indexname | chart sparkline count by field and this worked, but this not worked | inputlookup lookupname | chart sparkline count by field why and how to fix it? How to I must use sparkline with inputlookup?
Thanks

efloss · ‎08-25-2022

If anyone ever runs into this in the future and are having issues like I was, everything in this post applies but even though you are calling | inputlookup and your searching time frame doesn't apply to bringing back results, you do need to search over the range for the sparkline to form properly. Basically for a 30 days sparkline, making sure you run the search over the last 30 days even though its not actually searching 30 days of events.

niketn · ‎08-06-2019

@sbimizry what is the field containing epoch time in your lookup? Or do you have time in lookup available as String time? In either case community would be able to assist you better if you provide field names with some sample data from your lookup file.

For example

time          field
2019/01/01 20:08:00          value1
2019/01/01 20:09:00          value1
2019/01/01 20:10:00          value1
2019/01/01 20:08:00          value2
2019/01/01 20:10:00          value2

Then following would be the query. If time in lookup is String time following eval with strptime() would be required to convert string time to epoch. Otherwise _time can be directly overridden with | eval _time=time when time field is already epoch time.

| inputlookup lookupname 
| eval _time=strptime(time,"%Y/%m/%d %H:%M:%S")
| chart sparkline count by field

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

sbimizry · ‎08-07-2019

I did it, but it doesn’t work.
Example my data:

result_time                 name
1565083380               value1
1565083230               value1
1565087350               value2
1565078330               value3
1565066540               value2

kmaron · ‎08-06-2019

A sparkline is a trend over time. Does your inputlookup include _time?

sbimizry · ‎08-06-2019

Yes, this field exists

chris1337 · ‎08-06-2019

Hi,

are you sure, that your inputlookup is delivering some fields+values? Do you use the right fieldname to count? Is this fieldname available in your lookup output?

I tested it, there are no problems right now.

Greetings Chris

sbimizry · ‎08-06-2019

Yes, I'm sure everything is correct, but they do not work

chris1337 · ‎08-06-2019

Could you plz try the following:

| inputlookup lookupfile.csv

Is there any output?
Is there a field with values?

If yes, try:
| inputlookup lookupfile.csv | chart sparkline count by field_you_are_looking_for

Greetings, Chris

sbimizry · ‎08-06-2019

Output from lookup is exist and fields too, but sparkline not work

chris1337 · ‎08-06-2019

Ok, then I don´t know. My local test here worked fine. I´m sorry, I could not help you.

Greetings Chris

How to use sparkline in search with inputlookup?

Shape the Future of Splunk: Join the Product Research Lab!

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Are you a member of the Splunk Community?

How to use sparkline in search with inputlookup?

Shape the Future of Splunk: Join the Product Research Lab!

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions