Splunk Search

Sparkline in Join

takashi6
Explorer

Hi expert,

I'm trying to use sparkline inside join subsearch.
The result out of the sparkline is not rendered properly and looks like this:
(##SPARKLINE##,514.000000,549.000000,608.000000,665.000000,729.000000,786.000000,853....... data continues)

I looked up this previous post where a solution was suggested, but it doesn't work in my case.
https://answers.splunk.com/answers/69290/appending-sparkline-through-a-join.html

Is there a command I can use to render the result correctly?

I've tried "append" and "appendcols" instead of "join", both of which render correctly, but:
- "append" doesn't map the sparklines to the correct rows
- "appendcols" adds new rows for the sparklines and doesn't map sparklines next to the existing rows.

Any suggestion would be much appreciated!

0 Karma
1 Solution

gergelybata
Explorer

Hi,

If it's still a concern... Run into the same issue and this solution worked:

| join ... [.... sparkline(...) as sparkvisual ... ] | makemv delim="," setsv=true sparkvisual

Credit goes to this topic:
https://answers.splunk.com/answers/69290/appending-sparkline-through-a-join.html

View solution in original post

oolatunji
Explorer

use appendcols instead of Join

0 Karma

gergelybata
Explorer

Hi,

If it's still a concern... Run into the same issue and this solution worked:

| join ... [.... sparkline(...) as sparkvisual ... ] | makemv delim="," setsv=true sparkvisual

Credit goes to this topic:
https://answers.splunk.com/answers/69290/appending-sparkline-through-a-join.html

lguinn2
Legend

What is the entire search string? Otherwise we are just guessing...

0 Karma

takashi6
Explorer

Hi Iguinn - was the information I provided helpful/enough? appreciate if you could provide your feedback.

0 Karma

takashi6
Explorer

Hi Iguinn or any expert - appreciate your feedback...

0 Karma

takashi6
Explorer

Hi Iguinn - thanks for picking this up.

The below is the sparkline query which works perfectly when run independently:

index=foo type=Pending
| chart sparkline(avg(open_order),15m) as "Pending Trend" by service_name | sort service_name

The below is the sparkline query within the join which returns the result not rendered as a "sparkline" format - as you can see I'm (1) listing all the possible service_name, (2) appending pending count for those services which had a pending count in the latest data extraction, (3) appending pending count trend in a sparkline format. (1) and (2) works but (3) returns non-rendered result.

index="foo" type=* | stats count(service_name) by service_name
| join type=left [search index="foo" type="Pending" | table _time, service_name, type, open_order
| eventstats max(_time) as LatestTS | where _time=LatestTS | rename open_order as Pending | table service_name, Pending]
| join type=left [search index="foo" type="Pending"
| chart sparkline(avg(open_order),15m) as "Pending Trend" by service_name]
| fillnull value=0 Pending
| table service_name, Pending, "Pending Trend"

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...