Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Appending Sparkline through a JOIN

Drainy
Champion
‎12-14-2012 01:29 AM

Good morning!

I'm about to dive into the JS on this to discover how its rendered but in the meantime I thought I'd throw it out here to see if anyone else has come across this..

Imagine a pretty basic search, all I'm doing is pulling back blocked events, no transactions or any funny business.. then I have a brainwave and decide to append a sparkline of blocked events for the same queue. This way I get a timestamp of the most recent block event with a mini timeline of previous blockages...

However, the sparkline is generated in a subsearch (within a join command) and when its passed back it isn't being rendered as a sparkline but instead as the markup for it.

Screenshot below, if anyone has come across this I'd be interested to know, otherwise I guess its just a bug/limitation of sparkline at the moment.

alt text

EDIT: Its worth pointing out that this does work if you reverse it and generate the sparkline first and then append the _time, but I'm interested in the problem now 🙂

0 Karma
Reply

dmr195
Communicator
‎12-18-2012 05:32 AM

I saw a different situation where a sparkline was being displayed as its text markup rather than as a graphic. In my case it turned out that the sparkline field had ceased to be a multi-valued field. You can make it multi-valued again by appending this to the end of your search (or at least after the join):

| makemv delim="," setsv=true sparkline

As I said, the situation where I saw the problem was completely different to yours, so maybe this won't solve your case, but it worked for me.

Reply

mschellhouse
Path Finder
‎06-11-2018 04:02 AM

We just upgraded to 7.x. It appears that they resolved the rendering issue as I no longer need to use the |makev * solution.

0 Karma
Reply

the0duke0
Path Finder
‎06-22-2018 07:34 AM

For us it seems 7.1 has broken the |makemv solution, and removing it doesn't help. I cannot get the sparkline to render if it is in the second part of the join. I was able to work around it by switching the order and having the sparkline before the join.

0 Karma
Reply

andymcdowall
Engager
‎08-27-2018 01:42 PM

I had the same issue in 7.1.2, removing setsv=true fixed it for me

Reply

ktvrznik
Loves-to-Learn
‎12-13-2018 05:15 AM

I can confirm that if you remove setsv=true it will fix this issue

0 Karma
Reply

swaro_ck
Path Finder
‎06-25-2018 02:26 AM

Same problem here with Splunk 7.1.1

0 Karma
Reply

troybebee
Engager
‎07-14-2014 07:45 PM

Works great. Thanks!

0 Karma
Reply

jrodriguezap
Contributor
‎08-06-2013 02:54 PM

Very good.
I ran to my well.
Thank you very much!

0 Karma
Reply

abchernin
Engager
‎03-06-2013 04:26 AM

Situation same as on OP's screenshot -- after join of savedsearch with sparklines, got a column of raw data. Solution worked.

0 Karma
Reply

hazekamp
Builder
‎02-12-2013 01:05 PM

This did work to correct the sparkline rendering for my search that involved "| join"

Reply
Get Updates on the Splunk Community!

Dashboard Studio Challenge - Learn New Tricks, Showcase Your Skills, and Win Prizes!

Reimagine what you can do with your dashboards. Dashboard Studio is Splunk’s newest dashboard builder to ...

Introducing Edge Processor: Next Gen Data Transformation

We get it - not only can it take a lot of time, money and resources to get data into Splunk, but it also takes ...

Take the 2021 Splunk Career Survey for $50 in Amazon Cash

Help us learn about how Splunk has impacted your career by taking the 2021 Splunk Career Survey. Last year’s ...