Hi, I've got some data that reports the number of users once per day, like:
I'm trying to make a simple sparkline which shows this over the last 90 days. My current search is:
mysearch | chart latest(users) sparkline(avg(users),1d)
This works, but there is a problem: the sparkline displays a value of 0 as the first or last value, depending on when the search is run. It assumes that the value is 0 when the search time range includes part of a day that does not have data. For example, if the search includes the last 2 hours of Tuesday, it will assume a 0, because the data from Tuesday was reported at 4 am.
So, how do I get sparkline to ignore these values, or get the search to not include "partial" days? I've tried usenull=f in the chart command, but it doesn't seem to work for sparklines. I realize that making this a scheduled search would probably work if I get the time ranges just right, but I feel like there is a more elegant way to do it, and I don't want it to break if the reporting frequency changes or moves to a different time.
Thanks in advance
... View more
Hello, I've got several charts on the same row that use the same legend. This particular dashboard is intended to be very small, so, to save space, I'd like to have one legend for all of my charts. I have done this by removing the legend from all but one of the charts with
However, I would like to place the legend horizontally under all of my charts in that row. If I place the legend on the bottom of one chart, it crams itself into the column space that is reserved for that chart only, and won't invade the space of the other charts. So, I wonder if there is a way to have the dashboard display a chart's legend, but not the chart?
I've tried doing this with
that removes the chart, but it will not display the legend, even if the legend placement is explicitly defined. Is there a way to do this?
By the way, are there any examples of dashboards that are designed to take very little screen space? The intention is to be able to put this in the corner of one's monitor.
... View more
Hello fellow splunkers,
I have a large dataset that I am searching through, and I want to create a historical timechart which goes back for several months. Because of the size of the dataset, having a search which goes that far back is impracticable (or at least impractical).
My solution was to schedule a daily search which would save the results from the last 24 hours. After 3 months, for example, I would have 90 saved results which each only contain a simple count of the number of events, and my chart could therefore simply graph the counts from each saved result, with each one being a datapoint. I'd just set the TTL for the saved results to be 90 days.
I'm fairly new to Splunk, but this seems like it would be a pretty basic feature, so I feel like I'm missing something. The closest I've gotten is using something like | append loadjob savedsearch=foo, but that will only add a single saved result, unless foo is somehow a "living" result which always has the results from the past 90 days.
I've heard of summary indexes for dealing with large datasets, and I'll research them to see if it's what I need, but I was hoping for a relatively simple solution which could be carried out within the Splunk web interface.
Thanks in advance, and sorry if this has been answered before.
... View more