Splunk Enterprise Security
Highlighted

Sparkline after Join Command Problem

Explorer

Hello Fellow Splunkers,

I have been trying the following query to pull the ES notified hosts and bring a sparkline of the host's log counts to reduce the amount of false positives on the "Event logging service has shut down" event alerts.

EventCode=1100 OR EventCode=1074 OR EventCode=6006 OR EventCode=6008 index=wineventlog sourcetype=WinEventLog 
    [ search index=notable source="Audit - Anomalous Audit Trail Activity Detected - Rule" 
    | stats count by dest_nt_host 
    | fields - count 
    | rename dest_nt_host as search 
    | format] 
| convert ctime(_time) 
| eval tem = "* " ._time." - " .EventCode. " - " .Message 
| sort tem 
| stats values(tem) as tem by host 
| search tem=*1100* 
| join host 
    [ search index=wineventlog sourcetype=WinEventLog 
        [ search index=notable source="Audit - Anomalous Audit Trail Activity Detected - Rule" 
        | stats count by dest_nt_host 
        | fields - count 
        | rename dest_nt_host as search 
        | format] 
    | stats sparkline(count) as sparkline by host ]

However, I have a problem applying a Sparkline next to my table. In which the supposed sparkline chart returns a result of:

##__SPARKLINE__##,146,158,201,172,161,172,185,180,154,2361,986,202,570,192,2284,999,200,931,427,549,177,330,382,142,2448,3695,566,3409,490,3483,4671,4927,3000,3087,2873,159,280,139,113,164,132,141,135,151,186,176,140,146,88

I have tried adding the following line which was mentioned in previous similar questions at the end of my query,

makemv delim="," setsv=true sparkline

However, still end up having a string problem for the sparkline.

Any and all suggestions are welcome,
Regards,

0 Karma
Highlighted

Re: Sparkline after Join Command Problem

Explorer

Hey mate,

I had a similar issue with the sparkline persisting after a subsequent join/stats.

All I did was in the stats command following the join:
| stats list(spark) as spark

So yours would be after the join:
| stats list(sparkline) as sparkline by host

It worked for me. YMMV. Let me know how you go.

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.