Splunk Search

How do I create a sparkline for each day in a chart?

MonkeyK
Builder

I am trying to summarize network traffic to or from an IP address. I would like to look for daily patterns and thought that a sparkline would help to call those out. I cannot figure out how to make a sparkline for each day.

What I have so far:

traffic counts to an IP address by the minute:

| tstats summariesonly=t count FROM datamodel=Network_Traffic.All_Traffic
WHERE All_Traffic.dest_ip=134.170.30.203
BY _time, All_Traffic.src_ip, All_Traffic.dest_ip, All_Traffic.dest_port span=1m

Which I can summarize over each day with

| tstats summariesonly=t count FROM datamodel=Network_Traffic.All_Traffic
WHERE All_Traffic.dest_ip=134.170.30.203
BY _time, All_Traffic.src_ip, All_Traffic.dest_ip, All_Traffic.dest_port span=1m
|timechart sum(count) as Count min(_time) as First max(_time) as Last span=1d
| eval First=strftime(First,"%m/%d/%y %H:%M") | eval Last=strftime(Last,"%m/%d/%y %H:%M")

The initial span of a minute is just there so that I can get 1 minute resolution to the first and last times of each day. I actually use an intermediate time chart so that I can save daily fist and last times

| tstats summariesonly=t count FROM datamodel=Network_Traffic.All_Traffic
WHERE All_Traffic.dest_ip=134.170.30.203
BY _time, All_Traffic.src_ip, All_Traffic.dest_ip, All_Traffic.dest_port span=1m
| timechart sum(count) as minCount earliest(_time) as minFirst latest(_time) as minLast span=1m
| timechart sum(minCount) as Count min(minFirst) as First max(minLast) as Last span=1d
| eval First=strftime(First,"%m/%d/%y %H:%M") | eval Last=strftime(Last,"%m/%d/%y %H:%M")

So the above gives me a record for each day with the date, number of network events, first network event, and last network event, looking something like:
_time..............Count.....First........................Last
2016-12-25....30...........12/25/16 04:25.....12/25/16 23:24
2016-12-26....42...........12/26/16 02:18.....12/26/16 09:14
2016-12-27....430.........12/27/16 03:51.....12/27/16 20:13
2016-12-28....48...........12/28/16 03:51.....12/28/16 10:20
2016-12-29....48...........12/29/16 05:27.....12/29/16 08:23

I would like to add a sparkline indicating how the network events were distributed across the day each day. Can someone help me figure out how to do this?

0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

Give this a try
Updated

| tstats summariesonly=t count FROM datamodel=Network_Traffic.All_Traffic 
WHERE All_Traffic.dest_ip=134.170.30.203 
BY _time, All_Traffic.src_ip, All_Traffic.dest_ip, All_Traffic.dest_port span=1m
| timechart sum(count) as minCount earliest(_time) as minFirst latest(_time) as minLast span=1m 
| eval Day=strftime(_time,"%F")
| stats sparkline(sum(minCount),5m) as countTrend sum(minCount) as Count min(minFirst) as First max(minLast) as Last by Day
| eval First=strftime(First,"%m/%d/%y %H:%M") | eval Last=strftime(Last,"%m/%d/%y %H:%M")
| eval _time=strptime(Day,"%F") | table _time countTrend Count First Last

View solution in original post

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Give this a try
Updated

| tstats summariesonly=t count FROM datamodel=Network_Traffic.All_Traffic 
WHERE All_Traffic.dest_ip=134.170.30.203 
BY _time, All_Traffic.src_ip, All_Traffic.dest_ip, All_Traffic.dest_port span=1m
| timechart sum(count) as minCount earliest(_time) as minFirst latest(_time) as minLast span=1m 
| eval Day=strftime(_time,"%F")
| stats sparkline(sum(minCount),5m) as countTrend sum(minCount) as Count min(minFirst) as First max(minLast) as Last by Day
| eval First=strftime(First,"%m/%d/%y %H:%M") | eval Last=strftime(Last,"%m/%d/%y %H:%M")
| eval _time=strptime(Day,"%F") | table _time countTrend Count First Last
0 Karma

MonkeyK
Builder

Actually, I see what has happened. It looks like the sparkline is taking into account all datapoints from my search even though the row's span is only one day. So all of the zeros from day one are included in the sparkline for day 2. Concequently, the second day results start to the right for the first day results , and the third day results to the right of that.

To make matters worse, it looks like sparklines may have a max number of datapoints that they can represent, when those are exceeded, the rest of the sparkline is truncated and my last day may show no data at all.

is there a way to make the sparkline only consider the day that the row represents?

0 Karma

MonkeyK
Builder

I am accepting this answer and asking about where the sparkline start in a different question
https://answers.splunk.com/answers/484433/how-do-i-create-daily-sparklines-that-start-with-t.html

I think that one indicates that Splunk says there is a limitation in sparklines that prevents them from only showing data relevant to a time span record.

0 Karma

MonkeyK
Builder

Thank you! That gets me a sparkline.

Oddly the graph that it creates seems to have no basis in reality. For example on one of the days, first and last times are 5:30-8:30am, while the sparkline notes all events at the end of the day.

Are sparklines supposed to actually represent something?

Also, with your Day eval, I don't need the first timechart. I swap out minCount for count and use _time instead of minFirst and minLast. That is pretty neat.

0 Karma

MonkeyK
Builder

I got:
Error in 'stats' command: Sparklines not specific to a field must use the "count" aggregator

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Try the updated answer.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...