Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to use dashboard using sparkline with partial=f?

hhh
Loves-to-Learn Everything
‎08-21-2023 03:16 AM

Im trying to make a high level view dashboard that has multiple dashboards in it. I want to use the sparkline because it is a compact chart with a lot of information.

My problem is that the sparkline shouldnt show any partial time buckets because then someone might look at the dashboard and think there is something wrong because of the dip at the end of the sparkline.

From my understanding I cannot use partial=f in my query because i use stats is there any other way to achieve this?

This is my query
| stats sparkline(max(field7)) as "sparkline" max(field7) by field10
| rename field10 as "Environment"
| rename max(field7) as "Response time max"
| rex field="Response time max" mode=sed "s/(\.\d{2})\d*/\1/"

Labels (1)
Labels
Tags (2)
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎08-21-2023 04:14 AM

It is not clear what you want instead of the sparkline returning to zero, but if I assume you want the previous value to continue, you could do something like this

| timechart max(field7) as field7 by field10
| filldown *
| untable _time field10 field7
| stats sparkline(max(field7)) as "sparkline" max(field7) by field10
| rename field10 as "Environment"
| rename max(field7) as "Response time max"
| rex field="Response time max" mode=sed "s/(\.\d{2})\d*/\1/"

Essentially, use the timechart command to generate events for all time buckets, then filldown the latest value into empty fields, the untable before using stats to generate your table.

0 Karma
Reply

hhh
Loves-to-Learn Everything
‎08-21-2023 04:48 AM

I was told that the sparkline would show a dip at the end because the time bucket would be partial. So from my understanding if the sparkline would aggregate by every hour and the time would be 13:05 right now, it would show a dip at the end of the sparkline because it would only count five minutes worth of events.

The problem is that there should be a lot of continuous events and if the end of the sparkline shows a rapid decline people not familiar with how splunk works would think there is some kind of problem because there is such a huge decrease. Hope this cleared the confusion, thank you for your help.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎08-21-2023 05:24 AM

You could try aligntime=latest and/or partial=f on the timechart command in my suggestion to see if that gives you what you want.

0 Karma
Reply

hhh
Loves-to-Learn Everything
‎08-22-2023 03:54 AM

It doesn't seem to be working the way I want it to. Here is an old thread without answer but this is the exact problem that I want solution for https://community.splunk.com/t5/Splunk-Search/Is-there-any-way-to-fix-cut-off-Sparklines/m-p/429298

0 Karma
Reply
Get Updates on the Splunk Community!

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...