Splunk® Enterprise

Search Tutorial

Acrobat logo Download manual as PDF


Splunk Enterprise version 7.0 is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

Create a report from a sparkline chart

In this example, you create a report that shows the trends in the number of purchases made over time. This example uses sparkline charts. Sparklines are inline charts that appear in the search results table and are designed to display time-based trends associated with the primary key of each row.

For searches that use the stats and chart commands, you can add sparkline charts to the results table.

Prerequisite
This example requires the productName field from the Enabling field lookups section. You must complete all of those steps before continuing with this section.

Steps

  1. Start a new search.
  2. Set the time range to All time.
  3. Run the following search.

    sourcetype=access_* status=200 action=purchase| chart sparkline(count) AS "Purchases Trend" count AS Total BY categoryId | rename categoryId AS "Category"

    This search uses the chart command to count the number of purchases by using action="purchase". The search specifies the purchases made for each product by using categoryId. The difference is that the count of purchases is now an argument of the sparkline() function.

    This screen image shows the results of the search.

  4. Click Save As and select Report.
  5. In the Save Report As dialog box, for Title type Purchasing trends.
  6. For Description, type Count of purchases with trending.

    This screen image shows the Save As Report dialog box.
  7. Click Save.
  8. In the confirmation dialog box, click View. The screen image shows the saved report.

Next step

This completes Part 6 of the Search Tutorial.

Up to now, you have saved searches as Reports. Continue to Part 7: Creating dashboards, where you learn how to save searches and reports as dashboard panels.

See also

chart command in the Search Reference
Add sparklines to your search results in the Search Manual

Last modified on 26 March, 2018
PREVIOUS
Create a report from a custom chart
  NEXT
About dashboards

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters