Solved: How do I use a sparkline within tstats to visualiz...

DEAD_BEEF · ‎09-11-2018

I want to use a tstats command to get a count of various indexes over the last 24 hours. I also want to include the latest event time of each index (so I know logs are still coming in) and add to a sparkline to see the trend.

I'm having trouble as the sparkline is grouping together into one rather than by index. I referenced this post, but am stuck.

| tstats count where (index="email" OR index="b" OR index="ids" OR index="web") BY index _time span=10m
| stats sparkline(sum(count), 10m) AS Volume

Basically, I'm trying to make a tstats version of this:

index="a" OR index="b" OR index="c" OR index="d" OR index="e" OR index="f" OR index="g"
| stats sparkline count latest(_time) AS Latest BY index
| convert ctime(Latest)

DEAD_BEEF · ‎09-11-2018

I was finally able to figure it out. Here is the final query

| tstats count where (index="a" OR index="b" OR index="c" OR index="d" OR index="e" OR index="f" OR index="g") BY index _time span=10m 
| stats sparkline(sum(count), 10m) AS Volume latest(_time) AS Latest BY index 
| convert ctime(Latest)

View solution in original post

DEAD_BEEF · ‎09-11-2018

I was finally able to figure it out. Here is the final query

| tstats count where (index="a" OR index="b" OR index="c" OR index="d" OR index="e" OR index="f" OR index="g") BY index _time span=10m 
| stats sparkline(sum(count), 10m) AS Volume latest(_time) AS Latest BY index 
| convert ctime(Latest)

How do I use a sparkline within tstats to visualize data feed over the last 24 hours?

Access Tokens Page - New & Improved

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Transform your security operations with Splunk Enterprise Security