Solved: How Do I Add LatestEvent Column to a Sparkline Cha...

JordanPeterson · ‎08-22-2018

I have a search that is currently working to give me a spark line for different event types. The search looks like this:

`eventtype=PS-* 
| chart sparkline count by eventtype`

Now I can take the fields from the chart and pipe that to table and it works fine too. What I want to do is add a "Latest" column for each EventType that displays the date of the most recent event for each event type. From there I'd also like to add a "First" field as well.

I've tried using stats and eval but those both seem to break the sparkline.

niketn · ‎08-22-2018

@JordanPeterson can you try the following?

 eventtype=PS-* 
 | chart sparkline count latest(_time) as "Latest Event" by eventtype
 | fieldformat "Latest Event"=strftime('Latest Event',"%Y/%m/%d %H:%M:%S")

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

niketn · ‎08-22-2018

@JordanPeterson can you try the following?

 eventtype=PS-* 
 | chart sparkline count latest(_time) as "Latest Event" by eventtype
 | fieldformat "Latest Event"=strftime('Latest Event',"%Y/%m/%d %H:%M:%S")

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

JordanPeterson · ‎08-23-2018

@niketnilay That worked perfectly. Thank you.

How Do I Add LatestEvent Column to a Sparkline Chart?

Admin Your Splunk Cloud, Your Way

Cloud Platform | Discontinuing support for TLS version 1.0 and 1.1

New Customer Testimonials