Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I use a sparkline within tstats to visualize data feed over the last 24 hours?

DEAD_BEEF
Builder
‎09-11-2018 08:00 AM

I want to use a tstats command to get a count of various indexes over the last 24 hours. I also want to include the latest event time of each index (so I know logs are still coming in) and add to a sparkline to see the trend.

I'm having trouble as the sparkline is grouping together into one rather than by index. I referenced this post, but am stuck.

| tstats count where (index="email" OR index="b" OR index="ids" OR index="web") BY index _time span=10m
| stats sparkline(sum(count), 10m) AS Volume

alt text

Basically, I'm trying to make a tstats version of this:
alt text

index="a" OR index="b" OR index="c" OR index="d" OR index="e" OR index="f" OR index="g"
| stats sparkline count latest(_time) AS Latest BY index
| convert ctime(Latest)
Preview file
32 KB
Preview file
5 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

DEAD_BEEF
Builder
‎09-11-2018 08:33 AM

I was finally able to figure it out. Here is the final query

| tstats count where (index="a" OR index="b" OR index="c" OR index="d" OR index="e" OR index="f" OR index="g") BY index _time span=10m 
| stats sparkline(sum(count), 10m) AS Volume latest(_time) AS Latest BY index 
| convert ctime(Latest)

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

DEAD_BEEF
Builder
‎09-11-2018 08:33 AM

I was finally able to figure it out. Here is the final query

| tstats count where (index="a" OR index="b" OR index="c" OR index="d" OR index="e" OR index="f" OR index="g") BY index _time span=10m 
| stats sparkline(sum(count), 10m) AS Volume latest(_time) AS Latest BY index 
| convert ctime(Latest)
0 Karma
Reply
Get Updates on the Splunk Community!

What's New in Splunk Observability - October 2025

What’s New?    We’re excited to announce the latest enhancements to Splunk Observability Cloud and share ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

🗣 You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

 Prepare to elevate your security operations with the powerful upgrade to Splunk Enterprise Security 8.x! This ...