- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
JordanPeterson
Path Finder
08-22-2018
03:26 PM
I have a search that is currently working to give me a spark line for different event types. The search looks like this:
`eventtype=PS-*
| chart sparkline count by eventtype`
Now I can take the fields from the chart and pipe that to table and it works fine too. What I want to do is add a "Latest" column for each EventType that displays the date of the most recent event for each event type. From there I'd also like to add a "First" field as well.
I've tried using stats and eval but those both seem to break the sparkline.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
niketn
Legend
08-22-2018
07:54 PM
@JordanPeterson can you try the following?
eventtype=PS-*
| chart sparkline count latest(_time) as "Latest Event" by eventtype
| fieldformat "Latest Event"=strftime('Latest Event',"%Y/%m/%d %H:%M:%S")
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
niketn
Legend
08-22-2018
07:54 PM
@JordanPeterson can you try the following?
eventtype=PS-*
| chart sparkline count latest(_time) as "Latest Event" by eventtype
| fieldformat "Latest Event"=strftime('Latest Event',"%Y/%m/%d %H:%M:%S")
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
JordanPeterson
Path Finder
08-23-2018
01:23 PM
@niketnilay That worked perfectly. Thank you.
