Solved: How do I use a sparkline within tstats to visualiz...

DEAD_BEEF · ‎09-11-2018

I want to use a tstats command to get a count of various indexes over the last 24 hours. I also want to include the latest event time of each index (so I know logs are still coming in) and add to a sparkline to see the trend.

I'm having trouble as the sparkline is grouping together into one rather than by index. I referenced this post, but am stuck.

| tstats count where (index="email" OR index="b" OR index="ids" OR index="web") BY index _time span=10m
| stats sparkline(sum(count), 10m) AS Volume

Basically, I'm trying to make a tstats version of this:

index="a" OR index="b" OR index="c" OR index="d" OR index="e" OR index="f" OR index="g"
| stats sparkline count latest(_time) AS Latest BY index
| convert ctime(Latest)

DEAD_BEEF · ‎09-11-2018

I was finally able to figure it out. Here is the final query

| tstats count where (index="a" OR index="b" OR index="c" OR index="d" OR index="e" OR index="f" OR index="g") BY index _time span=10m 
| stats sparkline(sum(count), 10m) AS Volume latest(_time) AS Latest BY index 
| convert ctime(Latest)

View solution in original post

DEAD_BEEF · ‎09-11-2018

I was finally able to figure it out. Here is the final query

| tstats count where (index="a" OR index="b" OR index="c" OR index="d" OR index="e" OR index="f" OR index="g") BY index _time span=10m 
| stats sparkline(sum(count), 10m) AS Volume latest(_time) AS Latest BY index 
| convert ctime(Latest)

How do I use a sparkline within tstats to visualize data feed over the last 24 hours?

Best Strategies to Optimize Observability Costs

Fueling your curiosity with new Splunk ILT and eLearning courses

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...