Hi expert,
I'm trying to use sparkline inside join subsearch.
The result out of the sparkline is not rendered properly and looks like this:
(##SPARKLINE##,514.000000,549.000000,608.000000,665.000000,729.000000,786.000000,853....... data continues)
I looked up this previous post where a solution was suggested, but it doesn't work in my case.
https://answers.splunk.com/answers/69290/appending-sparkline-through-a-join.html
Is there a command I can use to render the result correctly?
I've tried "append" and "appendcols" instead of "join", both of which render correctly, but:
- "append" doesn't map the sparklines to the correct rows
- "appendcols" adds new rows for the sparklines and doesn't map sparklines next to the existing rows.
Any suggestion would be much appreciated!
Hi,
If it's still a concern... Run into the same issue and this solution worked:
| join ... [.... sparkline(...) as sparkvisual ... ] | makemv delim="," setsv=true sparkvisual
Credit goes to this topic:
https://answers.splunk.com/answers/69290/appending-sparkline-through-a-join.html
use appendcols instead of Join
Hi,
If it's still a concern... Run into the same issue and this solution worked:
| join ... [.... sparkline(...) as sparkvisual ... ] | makemv delim="," setsv=true sparkvisual
Credit goes to this topic:
https://answers.splunk.com/answers/69290/appending-sparkline-through-a-join.html
What is the entire search string? Otherwise we are just guessing...
Hi Iguinn - was the information I provided helpful/enough? appreciate if you could provide your feedback.
Hi Iguinn or any expert - appreciate your feedback...
Hi Iguinn - thanks for picking this up.
The below is the sparkline query which works perfectly when run independently:
index=foo type=Pending
| chart sparkline(avg(open_order),15m) as "Pending Trend" by service_name | sort service_name
The below is the sparkline query within the join which returns the result not rendered as a "sparkline" format - as you can see I'm (1) listing all the possible service_name, (2) appending pending count for those services which had a pending count in the latest data extraction, (3) appending pending count trend in a sparkline format. (1) and (2) works but (3) returns non-rendered result.
index="foo" type=* | stats count(service_name) by service_name
| join type=left [search index="foo" type="Pending" | table _time, service_name, type, open_order
| eventstats max(_time) as LatestTS | where _time=LatestTS | rename open_order as Pending | table service_name, Pending]
| join type=left [search index="foo" type="Pending"
| chart sparkline(avg(open_order),15m) as "Pending Trend" by service_name]
| fillnull value=0 Pending
| table service_name, Pending, "Pending Trend"