Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Feeding Sparkline with Data Model

splunkbeginner2
Path Finder
‎06-05-2014 02:50 PM

Hello,

for a dashboard I will need to display a sparkline with entries blocked / Accessed by an ACL from the Cisco IOS app. Because of the availability of data models I would like to use them to access the data. Unfortunately I am currently not able to create a sparkline that displays what i wanted.

I am able to get 9 charts that can display when each of the values was reached
(e.g.
2 hits at: 10:10, 10:30,10:40
3 hits at 10:20,
4 hits at: 10:50, 11:00
)

[All numbers displayed in a graph]

How could I get this data into a single graph? 

| pivot Cisco_IOS_Event Blocked_Access_List_Event Blocked_Access_List_Event AS "val" SPLITROW _time AS _time PERIOD auto SORT 0 _time ROWSUMMARY 0 COLSUMMARY 0 NUMCOLS 0 SHOWOTHER 1  |                        eval count=val | eval name="name" | eval Time=_time|chart sparkline by val

Thanks for your help!

Regards!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

splunkbeginner2
Path Finder
‎06-05-2014 04:14 PM

I fixed it. The solution was the following:

  1. I debugged the source of the Cisco IOS App. They use saved searches.
  2. Open Search in Splunk -> Settings->Searches --> Cisco uses the old notation.
  3. Using the old scheme of notation:

search index="cisco-firewall" action="blocked" | chart sparklines

Simple, but works. However I have to admit that I would have preferred a solution with the data model.

Best Regards!

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

splunkbeginner2
Path Finder
‎06-05-2014 04:14 PM

I fixed it. The solution was the following:

  1. I debugged the source of the Cisco IOS App. They use saved searches.
  2. Open Search in Splunk -> Settings->Searches --> Cisco uses the old notation.
  3. Using the old scheme of notation:

search index="cisco-firewall" action="blocked" | chart sparklines

Simple, but works. However I have to admit that I would have preferred a solution with the data model.

Best Regards!

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Deprecation of Splunk Observability Kubernetes “Classic Navigator” UI starting ...

Access to Splunk Observability Kubernetes “Classic Navigator” UI will no longer be available starting January ...