Dashboards & Visualizations
Highlighted

How to use sparkline in search with inputlookup?

Engager

Hi,
I try used it... index=indexname | chart sparkline count by field and this worked, but this not worked | inputlookup lookupname | chart sparkline count by field why and how to fix it? How to I must use sparkline with inputlookup?
Thanks

0 Karma
Highlighted

Re: How to use sparkline in search with inputlookup?

Explorer

Hi,

are you sure, that your inputlookup is delivering some fields+values? Do you use the right fieldname to count? Is this fieldname available in your lookup output?

I tested it, there are no problems right now.

Greetings Chris

0 Karma
Highlighted

Re: How to use sparkline in search with inputlookup?

Engager

Yes, I'm sure everything is correct, but they do not work

0 Karma
Highlighted

Re: How to use sparkline in search with inputlookup?

Explorer

Could you plz try the following:

| inputlookup lookupfile.csv

  • Is there any output?
  • Is there a field with values?

If yes, try:
| inputlookup lookupfile.csv | chart sparkline count by fieldyouarelookingfor

Greetings, Chris

0 Karma
Highlighted

Re: How to use sparkline in search with inputlookup?

Engager

Output from lookup is exist and fields too, but sparkline not work

0 Karma
Highlighted

Re: How to use sparkline in search with inputlookup?

Explorer

Ok, then I don´t know. My local test here worked fine. I´m sorry, I could not help you.

Greetings Chris

0 Karma
Highlighted

Re: How to use sparkline in search with inputlookup?

Motivator

A sparkline is a trend over time. Does your inputlookup include _time?

0 Karma
Highlighted

Re: How to use sparkline in search with inputlookup?

Engager

Yes, this field exists

0 Karma
Highlighted

Re: How to use sparkline in search with inputlookup?

Legend

@sbimizry what is the field containing epoch time in your lookup? Or do you have time in lookup available as String time? In either case community would be able to assist you better if you provide field names with some sample data from your lookup file.

For example

time          field
2019/01/01 20:08:00          value1
2019/01/01 20:09:00          value1
2019/01/01 20:10:00          value1
2019/01/01 20:08:00          value2
2019/01/01 20:10:00          value2

Then following would be the query. If time in lookup is String time following eval with strptime() would be required to convert string time to epoch. Otherwise _time can be directly overridden with | eval _time=time when time field is already epoch time.

| inputlookup lookupname 
| eval _time=strptime(time,"%Y/%m/%d %H:%M:%S")
| chart sparkline count by field
0 Karma
Highlighted

Re: How to use sparkline in search with inputlookup?

Engager

I did it, but it doesn’t work.
Example my data:

result_time                 name
1565083380               value1
1565083230               value1
1565087350               value2
1565078330               value3
1565066540               value2
0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.