Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Invalid timespan specified for sparkline

penghan0612
New Member
‎04-10-2019 02:01 AM

Hi,

I would like to change the sparkline chunk based on the time range.
I calculate the time and put it in span, which is used in the sparkline command. Looks like the value of it is a string and it is not supported.

Could you please advise how to fix this, or what is the best practice? What I want to do is to set the chunks accordingly based on the search time range. Thanks.

index = windesktop_log sourcetype = "WinEventLog:Application"

| rename Message AS MainMessage
| spath input=MainMessage
| addinfo
| eval timerange= info_max_time-info_min_time
| eval span=case(timerange<4000,"1m",timerange<172800,"1h",1=1,"1d")
| stats sparkline(avg(ResolveTime),span) as resolve_time_trend count, avg(ResolveTime) by ResolveType
| sort - count

0 Karma
Reply
Get Updates on the Splunk Community!

SOCin’ it to you at Splunk University

Splunk University is expanding its instructor-led learning portfolio with dedicated Security tracks at .conf25 ...

Credit Card Data Protection & PCI Compliance with Splunk Edge Processor

Organizations handling credit card transactions know that PCI DSS compliance is both critical and complex. The ...

Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!

What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...