I'm trying to use sparkline inside join subsearch.
The result out of the sparkline is not rendered properly and looks like this:
(##SPARKLINE##,514.000000,549.000000,608.000000,665.000000,729.000000,786.000000,853....... data continues)
I looked up this previous post where a solution was suggested, but it doesn't work in my case.
Is there a command I can use to render the result correctly?
I've tried "append" and "appendcols" instead of "join", both of which render correctly, but:
- "append" doesn't map the sparklines to the correct rows
- "appendcols" adds new rows for the sparklines and doesn't map sparklines next to the existing rows.
Any suggestion would be much appreciated!
Hi Iguinn - thanks for picking this up.
The below is the sparkline query which works perfectly when run independently:
| chart sparkline(avg(openorder),15m) as "Pending Trend" by servicename | sort service_name
The below is the sparkline query within the join which returns the result not rendered as a "sparkline" format - as you can see I'm (1) listing all the possible service_name, (2) appending pending count for those services which had a pending count in the latest data extraction, (3) appending pending count trend in a sparkline format. (1) and (2) works but (3) returns non-rendered result.
index="foo" type=* | stats count(servicename) by servicename
| join type=left [search index="foo" type="Pending" | table time, servicename, type, openorder
| eventstats max(time) as LatestTS | where time=LatestTS | rename openorder as Pending | table servicename, Pending]
| join type=left [search index="foo" type="Pending"
| chart sparkline(avg(openorder),15m) as "Pending Trend" by servicename]
| fillnull value=0 Pending
| table servicename, Pending, "Pending Trend"
If it's still a concern... Run into the same issue and this solution worked:
| join ... [.... sparkline(...) as sparkvisual ... ] | makemv delim="," setsv=true sparkvisual
Credit goes to this topic: