Splunk Search

Sparkline in Join

Explorer

Hi expert,

I'm trying to use sparkline inside join subsearch.
The result out of the sparkline is not rendered properly and looks like this:
(##SPARKLINE##,514.000000,549.000000,608.000000,665.000000,729.000000,786.000000,853....... data continues)

I looked up this previous post where a solution was suggested, but it doesn't work in my case.
https://answers.splunk.com/answers/69290/appending-sparkline-through-a-join.html

Is there a command I can use to render the result correctly?

I've tried "append" and "appendcols" instead of "join", both of which render correctly, but:
- "append" doesn't map the sparklines to the correct rows
- "appendcols" adds new rows for the sparklines and doesn't map sparklines next to the existing rows.

Any suggestion would be much appreciated!

0 Karma
1 Solution

Explorer

Hi,

If it's still a concern... Run into the same issue and this solution worked:

| join ... [.... sparkline(...) as sparkvisual ... ] | makemv delim="," setsv=true sparkvisual

Credit goes to this topic:
https://answers.splunk.com/answers/69290/appending-sparkline-through-a-join.html

View solution in original post

Explorer

use appendcols instead of Join

0 Karma

Explorer

Hi,

If it's still a concern... Run into the same issue and this solution worked:

| join ... [.... sparkline(...) as sparkvisual ... ] | makemv delim="," setsv=true sparkvisual

Credit goes to this topic:
https://answers.splunk.com/answers/69290/appending-sparkline-through-a-join.html

View solution in original post

Legend

What is the entire search string? Otherwise we are just guessing...

0 Karma

Explorer

Hi Iguinn - was the information I provided helpful/enough? appreciate if you could provide your feedback.

0 Karma

Explorer

Hi Iguinn or any expert - appreciate your feedback...

0 Karma

Explorer

Hi Iguinn - thanks for picking this up.

The below is the sparkline query which works perfectly when run independently:

index=foo type=Pending
| chart sparkline(avg(openorder),15m) as "Pending Trend" by servicename | sort service_name

The below is the sparkline query within the join which returns the result not rendered as a "sparkline" format - as you can see I'm (1) listing all the possible service_name, (2) appending pending count for those services which had a pending count in the latest data extraction, (3) appending pending count trend in a sparkline format. (1) and (2) works but (3) returns non-rendered result.

index="foo" type=* | stats count(servicename) by servicename
| join type=left [search index="foo" type="Pending" | table time, servicename, type, openorder
| eventstats max(
time) as LatestTS | where time=LatestTS | rename openorder as Pending | table servicename, Pending]
| join type=left [search index="foo" type="Pending"
| chart sparkline(avg(open
order),15m) as "Pending Trend" by servicename]
| fillnull value=0 Pending
| table service
name, Pending, "Pending Trend"

0 Karma