Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: When using sparkline to display a table, why a...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jward6004
Explorer
03-02-2017
11:03 AM
I'm not able to populate the host field with information when using the search below. When I look at the events tab, I see these common fields shown such as host, ComputerName, ServerType but for some reason it's not populating in the table. Did I leave it out of my stats pipe and that's why it's not working?
Search:
index=example host=*fx* source="WinEventLog:Application" Type="Error" AND SourceName!="EmailManagerService" Message!="*Certificate enrollment for PROFLOWERS*"
| eval source_exception = SourceName.":".Message
| stats sparkline max(_time) as lasttime count(source_exception) as Total by source_exception
| eval lasttime=strftime(lasttime, "%Y/%m/%d %T.%3Q")
| table Total, lasttime, host, sparkline, source_exception
| sort -Total
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
03-02-2017
11:12 AM
Your stats line throws away the host value. Try something like this:
index=example host=*fx* source="WinEventLog:Application" Type="Error" AND SourceName!="EmailManagerService" Message!="*Certificate enrollment for PROFLOWERS*"
| eval source_exception = SourceName.":".Message
| stats sparkline max(_time) AS lasttime count(source_exception) AS Total values(host) AS host BY source_exception
| eval lasttime=strftime(lasttime, "%Y/%m/%d %T.%3Q")
| table Total, lasttime, host, sparkline, source_exception
| sort -Total
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
03-02-2017
11:12 AM
Your stats line throws away the host value. Try something like this:
index=example host=*fx* source="WinEventLog:Application" Type="Error" AND SourceName!="EmailManagerService" Message!="*Certificate enrollment for PROFLOWERS*"
| eval source_exception = SourceName.":".Message
| stats sparkline max(_time) AS lasttime count(source_exception) AS Total values(host) AS host BY source_exception
| eval lasttime=strftime(lasttime, "%Y/%m/%d %T.%3Q")
| table Total, lasttime, host, sparkline, source_exception
| sort -Total
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jward6004
Explorer
03-02-2017
11:47 AM
Thanks @woodcock
Get Updates on the Splunk Community!
Enter the Agentic Era with Splunk AI Assistant for SPL 1.4
🚀 Your data just got a serious AI upgrade — are you ready?
Say hello to the Agentic Era with the ...
Feel the Splunk Love: Real Stories from Real Customers
Hello Splunk Community,
What’s the best part of hearing how our customers use Splunk? Easy: the positive ...
Data Management Digest – November 2025
Welcome to the inaugural edition of Data Management Digest!
As your trusted partner in data innovation, the ...
