Splunk 简明教程
Splunk - Sparklines
火花线是某种统计信息的微小表示,不显示轴。它通常显示为带有凹凸的线,仅仅是为了表示某数量在一段时间内是如何变化的。Splunk 有内置函数,可以从搜索的事件中创建火花线。它是图表创建函数的一部分。
A sparkline is a small representation of some statistical information without showing the axes. It generally appears as a line with bumps just to indicate how certain quantity has changed over a period of time. Splunk has in-built function to create sparklines from the events it searches. It is a part of the chart creation function.
Selecting the Fields
我们需要选择用于创建火花线的字段和搜索公式。下图显示了 web_application 主机中某些文件的平均字节大小值。
We need to select the field and the search formula which will be used in creating the sparkline. The below image shows the average byte size values of the some of the files in the web_application host.
Creating the Sparkline
要从上述统计信息创建火花线,我们像下图所示将火花线函数添加到搜索查询中。上述统计信息的表格视图现在开始显示这些文件的平均字节大小的火花线。在这里,我们取 All Time 作为计算文件平均字节大小变化的时期。如果我们更改此时间段,则图表性质将发生变化。
To create the Sparklines from above statistics, we add the Sparkline function to the search query as shown in the image below. The table view of the above statistics now starts displaying the sparklines for average byte size of those files. Here, we have taken All Time as the time period for calculating the variation in average byte size of files. If we change this time period, then the nature of the graphs will change.
Changing the Time Period
如果我们将上述图表的时间范围从全部时间更改为最近 30 天,我们将看到火花线略有不同,如下所示。在这里我们需要注意,由于这些文件在那段时间内不可用,所以列表中少了几个文件名。
If we change the time period for the above graph from All Time to Last 30 days, we will see the sparklines to be little different as shown below. Here we need to note, how few file names have vanished from the list as those files were not available in that time period.
