Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- untranspose multi-field sparkline
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| chart sparkline count by a,b
I would like to have sparkline table like...
a | b | count | sparkline
thing1 | foo | 123 | _^_
thing2 | bar | 456 | _^_
But sparkline does an implicit transpose like...
a | count: foo | count: bar | sparkline: foo | sparkline: bar
thing1 | 123 | 0 | _^_ |
thing2 | 0 | 456 | | _^_
Is it possible to produce the desired table?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey @coo
I had the exact same issue previously with chart sparkline count by field1,field2 - it always transposes and gives you columns instead of nice rows.
Here's the clean fix that works perfectly:
index=_internal sourcetype=splunkd*
| rename host as a, sourcetype as b
| stats count as count by _time a b
| fillnull value=0 count
| stats sparkline(count) as sparkline
sum(count) as count
by a b
| table a b count sparkline
What it does:
stats count by _time a b → gets time-series data per host+sourcetype
fillnull value=0 → handles gaps for smooth sparklines
stats sparkline(count) ... by a b → one sparkline per host+sourcetype row
Perfect table: a | b | count | sparkline
Seen the attached screenshot for better understanding, No more transpose headaches!
Please give 👍 for support 😁 happly splunking .... 😎
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey @coo
I had the exact same issue previously with chart sparkline count by field1,field2 - it always transposes and gives you columns instead of nice rows.
Here's the clean fix that works perfectly:
index=_internal sourcetype=splunkd*
| rename host as a, sourcetype as b
| stats count as count by _time a b
| fillnull value=0 count
| stats sparkline(count) as sparkline
sum(count) as count
by a b
| table a b count sparkline
What it does:
stats count by _time a b → gets time-series data per host+sourcetype
fillnull value=0 → handles gaps for smooth sparklines
stats sparkline(count) ... by a b → one sparkline per host+sourcetype row
Perfect table: a | b | count | sparkline
Seen the attached screenshot for better understanding, No more transpose headaches!
Please give 👍 for support 😁 happly splunking .... 😎
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for responding. Here is my ultimate solution.
| stats count by _time,a,b
| stats sum(count) as count,sparkline(count) as sparkline by a,b
| sort -count
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Use the table command to put the fields in the desired order
| chart sparkline count by a,b
| table a b count sparkline
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for responding. This was the result.
a | b | count | sparkline
thing1 | | |
thing2 | | |
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
May 2026 Splunk Expert Sessions: Security & Observability
Network to App: Observability Unlocked [May & June Series]
SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...
