https://community.splunk.com/t5/Splunk-Dev/Attempting-to-show-host-in-column-chart-even-when-host-didn-t/m-p/313751#M4302 <P>I am monitoring firewall and everything works fine when all host are producing logs. If a host happens to go offline and doesn't produce logs for an entire day it disappears from my column chart and I would like to have it still show the host but maybe without "bar graph". </P> <P>Search string: index=name sourcetype="dell:firewall" earliest=-1d@d latest=@d | chart count(eval(pri=1)) AS Emergency, count(eval(pri=2)) AS Alert, count(eval(pri=3)) AS Critical, count(eval(pri=4)) AS Error, count(eval(pri=5)) AS Warning, count(eval(pri=6)) AS Notification, count(eval(pri=7)) AS Informational, count(eval(pri=8)) AS Debugging, by host</P> <P>I've tried adding fillnull value=0 as well as a few other options but none seem to keep the host listed as a "by host" field when no logs are produced. I tried to attached two screenshots to this ticket not sure if they posted correctly.</P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/2515i1C16B378A13114BE/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> Wed, 22 Feb 2017 02:56:04 GMT Feedy 2017-02-22T02:56:04Z https://community.splunk.com/t5/Splunk-Dev/Attempting-to-show-host-in-column-chart-even-when-host-didn-t/m-p/313751#M4302 <P>I am monitoring firewall and everything works fine when all host are producing logs. If a host happens to go offline and doesn't produce logs for an entire day it disappears from my column chart and I would like to have it still show the host but maybe without "bar graph". </P> <P>Search string: index=name sourcetype="dell:firewall" earliest=-1d@d latest=@d | chart count(eval(pri=1)) AS Emergency, count(eval(pri=2)) AS Alert, count(eval(pri=3)) AS Critical, count(eval(pri=4)) AS Error, count(eval(pri=5)) AS Warning, count(eval(pri=6)) AS Notification, count(eval(pri=7)) AS Informational, count(eval(pri=8)) AS Debugging, by host</P> <P>I've tried adding fillnull value=0 as well as a few other options but none seem to keep the host listed as a "by host" field when no logs are produced. I tried to attached two screenshots to this ticket not sure if they posted correctly.</P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/2515i1C16B378A13114BE/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> Wed, 22 Feb 2017 02:56:04 GMT https://community.splunk.com/t5/Splunk-Dev/Attempting-to-show-host-in-column-chart-even-when-host-didn-t/m-p/313751#M4302 Feedy 2017-02-22T02:56:04Z https://community.splunk.com/t5/Splunk-Dev/Attempting-to-show-host-in-column-chart-even-when-host-didn-t/m-p/313752#M4303 <P><STRONG>Option 1</STRONG><BR /> If you have access to execute REST API in Splunk search you can add a filter in base search to get all your hosts (or deployment clients) by adding a filter to base search like the following:</P> <PRE><CODE>index=name sourcetype="dell:firewall" [| rest /services/deployment/server/clients| search hostname="192.168.*" | fields hostname | fields - _* | rename hostname as host] earliest=-1d@d latest=@d | &lt;Your Stats Command&gt; </CODE></PRE> <P>In the base search you can add filter for your hosts using OR or a pattern using wildcard/s ( I have taken 192.168.* ) as an example.</P> <P><STRONG>Option 2</STRONG><BR /> Alternatively you can create lookup table with your host names and instead of <STRONG>rest</STRONG> use <STRONG>inputlookup</STRONG> to get list of all hosts.</P> <P><STRONG>Option 3</STRONG><BR /> You can do a stats preferably (distinct_count() ) on a field you know that definitely exists on all your hosts and then use eval to replace the stats on the field with 0.</P> Wed, 22 Feb 2017 05:11:37 GMT https://community.splunk.com/t5/Splunk-Dev/Attempting-to-show-host-in-column-chart-even-when-host-didn-t/m-p/313752#M4303 niketn 2017-02-22T05:11:37Z https://community.splunk.com/t5/Splunk-Dev/Attempting-to-show-host-in-column-chart-even-when-host-didn-t/m-p/313753#M4304 <P>@Feedy Were you able to test this solution?</P> Fri, 24 Feb 2017 16:54:10 GMT https://community.splunk.com/t5/Splunk-Dev/Attempting-to-show-host-in-column-chart-even-when-host-didn-t/m-p/313753#M4304 niketn 2017-02-24T16:54:10Z