How to normalize and display data using sparklines...

rm4149 · ‎07-11-2016

So I'm planning to normalize latency data for a network.

Search:

index=_* OR index=* sourcetype="defaut log"| rename Parent_Host as A , Child_Host as B |eventstats min(In) as minIn  max(In) as maxIn by A B|eval val = (In-minIn)/(maxIn-minIn) |stats sparkline(avg(val)) as In by A B

Now I have normalized the data between 0-1 using the eventstats and eval, but can't figure out how to display that normalized data in the sparkline as stats sparkline(val) as In by A B throws an error and doing stats sparkline(avg(val)) as In by A B is not same as printing the sparkline of the values.

diogofgm · ‎07-15-2016

You don't need the () for sparkline. (docs)
Try like this:

 index=_* OR index=* sourcetype="defaut log"| rename Parent_Host as A , Child_Host as B |eventstats min(In) as minIn  max(In) as maxIn by A B|eval val = (In-minIn)/(maxIn-minIn) | stats sparkline avg(val) as In by A B

------------
Hope I was able to help you. If so, some karma would be appreciated.

How to normalize and display data using sparklines?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Observability Simplified: Combining User Experience, Application Performance & ...

Event Series May & June: From Network Visibility to Service Intelligence

Global Splunk User Group Events: May + June 2026

Join the Conversation