Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why is sparkline returning '0' or '1'?

lennys26
Communicator
‎12-06-2022 02:12 AM

I have a query that returns an avg calculation over time and I am using a sparkline to try to show the results for each 'period' over that time, however although my results are showing a correct value, my sparkline only shows a value of 0 or 1.

My search is:

 

 

 

| tstats SUM(ABC) as ABC, sum(DEF) as DEF where index=FOO earliest=-4h latest=-45m by _time platform span=5m 
| eval AVG_ABC=((sum(DEF)/sum(ABC))/60) 
| stats sparkline avg(AVG_ABC) by platform

 

 

 

 

Instead of the single line result with the sparkline over time, I get the following:

sparkline2.png

Can anyone point me in the right direction? Essentially I am looking to create something like a single number value viz with a trendline.

Thanks.

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎12-06-2022 06:09 AM 
| tstats SUM(ABC) as ABC, sum(DEF) as DEF where index=FOO earliest=-4h latest=-45m by _time platform span=5m 
| eval AVG_ABC=(DEF/ABC)/60 
| stats sparkline(avg(AVG_ABC)) by platform

View solution in original post

Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎12-06-2022 04:18 AM

Try this since you have already renamed sum(DEF) as DEF and sum(ABC) as ABC

| eval AVG_ABC=(DEF/ABC)/60
0 Karma
Reply
Solved! Jump to solution

lennys26
Communicator
‎12-06-2022 05:48 AM

Hi@ITWhisperer. Bad SPL on my side (or perhaps i just foobar'ed by code when I was replacing all of the FOOs and BARs in my post 😁), but either way, thanks for the correction.

Anyhow, I have made the change, but this does not affect the end result.

Sparkline.png

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎12-06-2022 06:09 AM 
| tstats SUM(ABC) as ABC, sum(DEF) as DEF where index=FOO earliest=-4h latest=-45m by _time platform span=5m 
| eval AVG_ABC=(DEF/ABC)/60 
| stats sparkline(avg(AVG_ABC)) by platform
Reply
Solved! Jump to solution

lennys26
Communicator
‎12-06-2022 06:28 AM

Ahh haa! I had spaces between the 'sparkline' and the function: 

| stats sparkline avg(AVG_LOC) by platform

instead of

| stats sparkline(avg(AVG_LOC)) by platform

The strange thing is that my notes show that I have used this with the space in the past. Either way, it is working now.

Thanks.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...