Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why is sparkline returning '0' or '1'?

lennys26
Communicator
‎12-06-2022 02:12 AM

I have a query that returns an avg calculation over time and I am using a sparkline to try to show the results for each 'period' over that time, however although my results are showing a correct value, my sparkline only shows a value of 0 or 1.

My search is:

 

 

 

| tstats SUM(ABC) as ABC, sum(DEF) as DEF where index=FOO earliest=-4h latest=-45m by _time platform span=5m 
| eval AVG_ABC=((sum(DEF)/sum(ABC))/60) 
| stats sparkline avg(AVG_ABC) by platform

 

 

 

 

Instead of the single line result with the sparkline over time, I get the following:

sparkline2.png

Can anyone point me in the right direction? Essentially I am looking to create something like a single number value viz with a trendline.

Thanks.

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎12-06-2022 06:09 AM 
| tstats SUM(ABC) as ABC, sum(DEF) as DEF where index=FOO earliest=-4h latest=-45m by _time platform span=5m 
| eval AVG_ABC=(DEF/ABC)/60 
| stats sparkline(avg(AVG_ABC)) by platform

View solution in original post

Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎12-06-2022 04:18 AM

Try this since you have already renamed sum(DEF) as DEF and sum(ABC) as ABC

| eval AVG_ABC=(DEF/ABC)/60
0 Karma
Reply
Solved! Jump to solution

lennys26
Communicator
‎12-06-2022 05:48 AM

Hi@ITWhisperer. Bad SPL on my side (or perhaps i just foobar'ed by code when I was replacing all of the FOOs and BARs in my post 😁), but either way, thanks for the correction.

Anyhow, I have made the change, but this does not affect the end result.

Sparkline.png

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎12-06-2022 06:09 AM 
| tstats SUM(ABC) as ABC, sum(DEF) as DEF where index=FOO earliest=-4h latest=-45m by _time platform span=5m 
| eval AVG_ABC=(DEF/ABC)/60 
| stats sparkline(avg(AVG_ABC)) by platform
Reply
Solved! Jump to solution

lennys26
Communicator
‎12-06-2022 06:28 AM

Ahh haa! I had spaces between the 'sparkline' and the function: 

| stats sparkline avg(AVG_LOC) by platform

instead of

| stats sparkline(avg(AVG_LOC)) by platform

The strange thing is that my notes show that I have used this with the space in the past. Either way, it is working now.

Thanks.

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...