- Splunk Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Re: How to use sparkline?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to use sparkline?
Hello,
I've built some reports about CPU, memory and disk usage, and I'd like to display these reports as sparkline to obtain a compact view (and include more reports in the same view).
For example , my search is
sourcetype=infra subtype=system | timechart span=60m avg(cpu) by devicename
and the result is
_time device1 device2 device3 device4
2016-10-12 14:00 1.666667 0.000000 5.000000 0.083333
2016-10-12 15:00 0.166667 0.000000 4.500000 0.000000
2016-10-12 16:00 0.000000 0.000000 2.916667 0.000000
2016-10-12 17:00 0.000000 0.083333 1.750000 0.000000
2016-10-12 18:00 0.000000 0.000000 1.000000 0.000000
I've tried:
sourcetype=infra subtype=system | stats sparkline count, avg(cpu) by devicename
or
sourcetype=infra subtype=system | stats sparkline(avg(cpu)) by devicename
But I don't think that displays the good line chart!
I've also tried:
sourcetype=infra subtype=system | stats sparkline(avg(cpu),1m) by devicename
Could you tell me what is the variable "1m"?
Does it mean "1 month"?
Regards
Chris
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
1m would be 1 minute. 1mon would be 1 month.
https://docs.splunk.com/Documentation/Splunk/6.5.0/Search/Addsparklinestosearchresults
https://docs.splunk.com/Documentation/Splunk/6.5.0/Search/Specifytimemodifiersinyoursearch
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks cmerriman.
Please, could you tell me if the syntax of my searchs with sparkline are correct, or if another will be better?
I've tried:
sourcetype=infra subtype=system | stats sparkline count, avg(cpu) by devicename
and
sourcetype=infra subtype=system | stats sparkline(avg(cpu)) by devicename
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
it depends on what you're trying to obtain
sourcetype=infra subtype=system | stats sparkline count, avg(cpu) by devicename
this search will give you a sparkline that shows the count over the timeframe you're specifying for each device
sourcetype=infra subtype=system | stats sparkline(avg(cpu)) by devicename
this search will give you a sparkline that shows the average cpu over the timeframe you're specifying for each device.
Introducing the Splunk Community Dashboard Challenge!
Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...
Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...
