Index=_internal | chart sparkline count by sourcetype You can add sparklines to the results of this search by adding the sparkline function to the search itself: The second column, count, displays the event counts for each listed source type: The first column lists each sourcetype found in the past hour's set of _internal index events this is the primary key for the table. This search returns a two-column results table that shows event counts for the source types that have been indexed to _internal in the last 15 minutes. Index=_internal | chart count by sourcetype The sparkline_maxsize setting defines the maximum number of elements to emit for a sparkline.įor example, say you have this search, set to run over events from the Last 15 minutes:
The size of the sparkline is defined by settings in the nf file. Sparklines are inline charts that appear within table cells in search results, and are designed to display time-based trends associated with the primary key of each row.
If you are working with stats and chart searches, you can increase their usefulness and overall information density by adding sparklines to their result tables.
