Hello,
I have the following search:
sourcetype=some_data | stats values(msg_type) first(_time) as start by id_field project_field interface_field | evals and lookups etc...
I would like to add a sparkline to count the individual occurrences of the project_field, however, the below results in a sparkline with a flat line with zeros for values:
sourcetype=some_data | stats values(msg_type) first(_time) as start by id_field project_field interface_field | evals and lookups etc... | stats sparkline count by project_field
When I try to add a sparkline to the beginning of the search, I'm seeing an error because the project_field is one of the grouped by fields.
Any ideas?
thanks!
A sparkline is inherently timestamp-based, yet the data you send into the sparkline has no _time
field.
Think about what value you want as timestamp for the sparkline... might be the start
field, might be something else... and put that into a field called _time
.