Dashboards & Visualizations

How to use sparkline in search with inputlookup?

sbimizry
Engager

Hi,
I try used it... index=indexname | chart sparkline count by field and this worked, but this not worked | inputlookup lookupname | chart sparkline count by field why and how to fix it? How to I must use sparkline with inputlookup?
Thanks

0 Karma

efloss
Engager

If anyone ever runs into this in the future and are having issues like I was, everything in this post applies but even though you are calling | inputlookup and your searching time frame doesn't apply to bringing back results, you do need to search over the range for the sparkline to form properly.  Basically for a 30 days sparkline, making sure you run the search over the last 30 days even though its not actually searching 30 days of events.

0 Karma

niketn
Legend

@sbimizry what is the field containing epoch time in your lookup? Or do you have time in lookup available as String time? In either case community would be able to assist you better if you provide field names with some sample data from your lookup file.

For example

time          field
2019/01/01 20:08:00          value1
2019/01/01 20:09:00          value1
2019/01/01 20:10:00          value1
2019/01/01 20:08:00          value2
2019/01/01 20:10:00          value2

Then following would be the query. If time in lookup is String time following eval with strptime() would be required to convert string time to epoch. Otherwise _time can be directly overridden with | eval _time=time when time field is already epoch time.

| inputlookup lookupname 
| eval _time=strptime(time,"%Y/%m/%d %H:%M:%S")
| chart sparkline count by field
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

sbimizry
Engager

I did it, but it doesn’t work.
Example my data:

result_time                 name
1565083380               value1
1565083230               value1
1565087350               value2
1565078330               value3
1565066540               value2
0 Karma

kmaron
Motivator

A sparkline is a trend over time. Does your inputlookup include _time?

0 Karma

sbimizry
Engager

Yes, this field exists

0 Karma

chris1337
Explorer

Hi,

are you sure, that your inputlookup is delivering some fields+values? Do you use the right fieldname to count? Is this fieldname available in your lookup output?

I tested it, there are no problems right now.

Greetings Chris

0 Karma

sbimizry
Engager

Yes, I'm sure everything is correct, but they do not work

0 Karma

chris1337
Explorer

Could you plz try the following:

| inputlookup lookupfile.csv

  • Is there any output?
  • Is there a field with values?

If yes, try:
| inputlookup lookupfile.csv | chart sparkline count by field_you_are_looking_for

Greetings, Chris

0 Karma

sbimizry
Engager

Output from lookup is exist and fields too, but sparkline not work

0 Karma

chris1337
Explorer

Ok, then I don´t know. My local test here worked fine. I´m sorry, I could not help you.

Greetings Chris

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...