https://community.splunk.com/t5/Dashboards-Visualizations/How-to-show-computer-in-horizontal-chart-event-if-there-are-0/m-p/610598#M50059 <P>Here's one example of how to fill in gaps</P><LI-CODE lang="markup">| makeresults count=50 | eval _time=now()-((random() % 60) * 60) | eval host=mvindex(split("hosta,hostb,hostc",","), random() % 3) | bin _time span=5m | stats count by _time,host | eval count=if(count&gt;0,1,0) | append [ | makeresults | eval host=split("hosta,hostb,hostc",",") | addinfo | eval time_window = info_max_time - info_min_time | eval bin_count = round(time_window / 300) | mvexpand host | eval bins=mvrange(1, bin_count + 1, 1) | mvexpand bins | eval _time=now() - (bins * 300) | eval count = 0, dummy=1 | fields _time host count ] | bin _time span=5m | stats max(count) as count by _time,host |timechart span=5m limit=0 last(count) by host</LI-CODE><P>It generates the additional check data in the append by taking all the 'known' hosts and creating extra rows on the end for each 5 minute bin within the search window, and then stats joins them back together - then you can use your timechart at the end</P><P>There's probably another way to fill the gaps - there always is with Splunk</P><P>&nbsp;</P> Wed, 24 Aug 2022 03:21:51 GMT bowesmana 2022-08-24T03:21:51Z https://community.splunk.com/t5/Dashboards-Visualizations/How-to-show-computer-in-horizontal-chart-event-if-there-are-0/m-p/610462#M50048 <P>I want to have a graph where where you can easily see when that system is no longer taking kerberos authentications.&nbsp; But when it doesn't show anything for over 12h, then that object is no longer in that graph. Is there a way to keep my servers showing even if there are 0 events for that time period?</P><P>index=perfmon source="Perfmon:Security System-Wide Statistics" counter="Kerberos Authentications" earliest=-12h latest=now<BR />[inputlookup Prod_DC.csv]<BR />| eval host=lower(host)<BR />|bucket span=5m time | stats count by _time,host|eval count=if(count&gt;0,1,0)<BR />|timechart span=5m limit=0 last(count) by host</P> Tue, 23 Aug 2022 08:07:58 GMT https://community.splunk.com/t5/Dashboards-Visualizations/How-to-show-computer-in-horizontal-chart-event-if-there-are-0/m-p/610462#M50048 LyDang 2022-08-23T08:07:58Z https://community.splunk.com/t5/Dashboards-Visualizations/How-to-show-computer-in-horizontal-chart-event-if-there-are-0/m-p/610465#M50049 <P>To show something that doesn't exist means you have to add that 'known' component back in. That means after your search you have to add back all the hosts you expect to see. If your hosts are in&nbsp;<SPAN>Prod_DC.csv you will need to append that data then massage the results with something like the method below for a simple stats collection</SPAN></P><LI-CODE lang="markup">.... | append [ | inputlookup Prod_DC.csv | eval count=0 ] | stats max(count) as count by host</LI-CODE><P>&nbsp;</P> Tue, 23 Aug 2022 08:43:15 GMT https://community.splunk.com/t5/Dashboards-Visualizations/How-to-show-computer-in-horizontal-chart-event-if-there-are-0/m-p/610465#M50049 bowesmana 2022-08-23T08:43:15Z https://community.splunk.com/t5/Dashboards-Visualizations/How-to-show-computer-in-horizontal-chart-event-if-there-are-0/m-p/610589#M50058 <P>The problem is that I have:</P><P>|bucket span=5m time | stats count by _time,host|eval count=if(count&gt;0,1,0)</P><P>I think this put events in 5m time slots.</P><P>&nbsp;</P><P>I want a chart that will tell me every 5 minutes if 1/There are any events or 2/There are 0 events.</P><P>Also to have the server on the list if 0 events for that 12 hours.</P><P>&nbsp;</P> Wed, 24 Aug 2022 01:24:35 GMT https://community.splunk.com/t5/Dashboards-Visualizations/How-to-show-computer-in-horizontal-chart-event-if-there-are-0/m-p/610589#M50058 LyDang 2022-08-24T01:24:35Z https://community.splunk.com/t5/Dashboards-Visualizations/How-to-show-computer-in-horizontal-chart-event-if-there-are-0/m-p/610598#M50059 <P>Here's one example of how to fill in gaps</P><LI-CODE lang="markup">| makeresults count=50 | eval _time=now()-((random() % 60) * 60) | eval host=mvindex(split("hosta,hostb,hostc",","), random() % 3) | bin _time span=5m | stats count by _time,host | eval count=if(count&gt;0,1,0) | append [ | makeresults | eval host=split("hosta,hostb,hostc",",") | addinfo | eval time_window = info_max_time - info_min_time | eval bin_count = round(time_window / 300) | mvexpand host | eval bins=mvrange(1, bin_count + 1, 1) | mvexpand bins | eval _time=now() - (bins * 300) | eval count = 0, dummy=1 | fields _time host count ] | bin _time span=5m | stats max(count) as count by _time,host |timechart span=5m limit=0 last(count) by host</LI-CODE><P>It generates the additional check data in the append by taking all the 'known' hosts and creating extra rows on the end for each 5 minute bin within the search window, and then stats joins them back together - then you can use your timechart at the end</P><P>There's probably another way to fill the gaps - there always is with Splunk</P><P>&nbsp;</P> Wed, 24 Aug 2022 03:21:51 GMT https://community.splunk.com/t5/Dashboards-Visualizations/How-to-show-computer-in-horizontal-chart-event-if-there-are-0/m-p/610598#M50059 bowesmana 2022-08-24T03:21:51Z https://community.splunk.com/t5/Dashboards-Visualizations/How-to-show-computer-in-horizontal-chart-event-if-there-are-0/m-p/610603#M50061 <P>This is another way of appending the columns for any MISSING hosts entirely.</P><P>The first timechart + fillnull will create the gaps for all hosts found, but then the final appendcols will add in columns for any missing hosts</P><LI-CODE lang="markup">| makeresults count=50 | eval _time=now()-((random() % 62) * 60) | eval host=mvindex(split("hosta,hostb,hostc",","), random() % 3) | bin _time span=5m | stats count by _time,host | eval count=if(count&gt;0,1,0) |timechart span=5m limit=0 last(count) by host | fillnull | appendcols [ | makeresults | eval host=split("hosta,hostb,hostc,hostd",",") | mvexpand host | eval count=0 | chart values(count) as count over _time by host ] | filldown</LI-CODE><P>&nbsp;Hopefully these will give you something to work with</P> Wed, 24 Aug 2022 04:06:10 GMT https://community.splunk.com/t5/Dashboards-Visualizations/How-to-show-computer-in-horizontal-chart-event-if-there-are-0/m-p/610603#M50061 bowesmana 2022-08-24T04:06:10Z https://community.splunk.com/t5/Dashboards-Visualizations/How-to-show-computer-in-horizontal-chart-event-if-there-are-0/m-p/610608#M50062 <P>That works for me! Many thanks&nbsp;<span class="lia-unicode-emoji" title=":grinning_face:">😀</span></P> Wed, 24 Aug 2022 05:27:46 GMT https://community.splunk.com/t5/Dashboards-Visualizations/How-to-show-computer-in-horizontal-chart-event-if-there-are-0/m-p/610608#M50062 LyDang 2022-08-24T05:27:46Z