Adding sparklines to chart

cjenning · ‎05-12-2015

Hi, I have a chart that is a count of alerts by hostname and severity. I'd like to add a column that is a sparkline of alerts by time for each host. Here is my search and a screenshot of my chart with desired outcome. Help please?

index=techmon sourcetype="techmon_hpom_messages_history" | chart count by NODE_NAME,SEVERITY | addTOTALS labelfield=SEVERITY label=Total| sort -Total| head 20

Apparently need more splunk karma to post an attachment or a link so I will type out the chart here:

I want to add Sparkline after total that will graph the alerts over time. The field for the time is LOCAL_RECEIVING_TIME.

Thanks folks

jimodonald · ‎05-12-2015

You need to add the sparkline function to the chart command. See below.

index=techmon sourcetype="techmon_hpom_messages_history" | chart sparkline count by NODE_NAME,SEVERITY | addTOTALS labelfield=SEVERITY label=Total| sort -Total| head 20

cjenning · ‎05-13-2015

Thanks, but is there a way to do this so the sparklines are charted only by NODE_NAME while the count is by NODE_NAME and SEVERITY? In your solution I end up with 5 columns of sparklines.

jimodonald · ‎05-13-2015

Which field do you want to be used for the sparkline?

BTW, the docs describe how to do this pretty well.
http://docs.splunk.com/Documentation/Splunk/6.2.3/Search/AddSparklinestoSearchResults

cjenning · ‎05-14-2015

I want the sparkline to be used for the total column. I tried going through that documentation but it didn't help me with this problem. Anyway I formulate my search I either get 5 sparklines or a chart way off from what I'm looking for with 1 broken sparkline.

Adding sparklines to chart

Video | Welcome Back to Smartness, Pedro

Detector Best Practices: Static Thresholds

Expert Tips from Splunk Education, Observability in Action, Plus More New Articles on ...