Splunk Search
Highlighted

Adding sparklines to chart

Explorer

Hi, I have a chart that is a count of alerts by hostname and severity. I'd like to add a column that is a sparkline of alerts by time for each host. Here is my search and a screenshot of my chart with desired outcome. Help please?

index=techmon sourcetype="techmonhpommessageshistory" | chart count by NODENAME,SEVERITY | addTOTALS labelfield=SEVERITY label=Total| sort -Total| head 20

Apparently need more splunk karma to post an attachment or a link so I will type out the chart here:


NODE_NAME | Critical | Major | Minor | Normal | Warning | Total |

Host 1 &nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp | 5 &nbsp&nbsp&nbsp&nbsp&nbsp&nbsp | 3 &nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp | 10 &nbsp&nbsp&nbsp | 0 &nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp | 8 &nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp | 36 |
Host 2 &nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp | 1 &nbsp&nbsp&nbsp&nbsp&nbsp&nbsp | 3 &nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp | 6 &nbsp&nbsp&nbsp&nbsp&nbsp | 3 &nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp | 8 &nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp | 19 |
Host 3 &nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp | 2 &nbsp&nbsp&nbsp&nbsp&nbsp&nbsp | 6 &nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp | 0 &nbsp&nbsp&nbsp&nbsp | 5 &nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp | 2 &nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp | 15 |


I want to add Sparkline after total that will graph the alerts over time. The field for the time is LOCALRECEIVINGTIME.

Thanks folks

Tags (2)
Highlighted

Re: Adding sparklines to chart

Contributor

You need to add the sparkline function to the chart command. See below.

index=techmon sourcetype="techmon_hpom_messages_history" | chart sparkline count by NODE_NAME,SEVERITY | addTOTALS labelfield=SEVERITY label=Total| sort -Total| head 20
0 Karma
Highlighted

Re: Adding sparklines to chart

Explorer

Thanks, but is there a way to do this so the sparklines are charted only by NODENAME while the count is by NODENAME and SEVERITY? In your solution I end up with 5 columns of sparklines.

0 Karma
Highlighted

Re: Adding sparklines to chart

Contributor

Which field do you want to be used for the sparkline?

BTW, the docs describe how to do this pretty well.
http://docs.splunk.com/Documentation/Splunk/6.2.3/Search/AddSparklinestoSearchResults

0 Karma
Highlighted

Re: Adding sparklines to chart

Explorer

I want the sparkline to be used for the total column. I tried going through that documentation but it didn't help me with this problem. Anyway I formulate my search I either get 5 sparklines or a chart way off from what I'm looking for with 1 broken sparkline.

0 Karma