Dashboards & Visualizations
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Sparkline maximum data points?

MonkeyK
Builder
‎12-29-2016 02:13 PM

I recently noticed that my sparklines may appear to lose data when I make the resolution too fine. For example over the course of a days data, sparkline(sum(count),1h) as countTrend1h will represent the trend OK, but sparkline(sum(count),5m) as countTrend5m will show only part of the results. I think that this is because at a resolution of 1hour, I have only 24 datapoints, while a resolution of 5m has 288.

What is the maximum number of datapoints that Splunk can reasonable handler in a sparkline? Also, is there a way to deal with it if I inadvertently exceed that number of data points? alt text

sparkline.png
Preview file
71 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gergelybata
Explorer
‎07-04-2017 07:10 AM

Sparklines can have 101 data points maximum.
In fact, sparkline generates a multivalue field with a special "header", something like this:

##__SPARKLINE__##,113,322,275,334,314,284,...

So you can use every mv.... command on these fields, e.g. mvcount(countTrend5m)

View solution in original post

Reply
Solved! Jump to solution

lstewart_splunk
Splunk Employee
Splunk Employee
‎10-30-2017 03:14 PM

You can generate sparkline charts with the tstats command only if you specify the _time field in the BY clause and use the stats command to generate the actual sparkline.

For example:

| tstats count from datamodel=Authentication.Authentication BY _time, Authentication.src span=1h | stats sparkline(sum(count),1h) AS sparkline, sum(count) as count BY Authentication.src

Also, I don't know if the limit suggested is accurate. When you run the following command, you get many more data points than 101 which are charted:

index=_internal | chart sparkline count by sourcetype
0 Karma
Reply
Solved! Jump to solution
Solution

gergelybata
Explorer
‎07-04-2017 07:10 AM

Sparklines can have 101 data points maximum.
In fact, sparkline generates a multivalue field with a special "header", something like this:

##__SPARKLINE__##,113,322,275,334,314,284,...

So you can use every mv.... command on these fields, e.g. mvcount(countTrend5m)

Reply
Get Updates on the Splunk Community!

Developer Spotlight with Brett Adams

In our third Spotlight feature, we're excited to shine a light on Brett—a Splunk consultant, innovative ...

Index This | What can you do to make 55,555 equal 500?

April 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...
Top