https://community.splunk.com/t5/Splunk-Search/Timechart-fillnull-with-append-search/m-p/432585#M123602 <P>So, I'm trying to come up with a way to compare data from this year and last year into a <CODE>Single Value</CODE> Graph but I am unable to force the 0 value into the first timechart with it's own date. This is my search query.</P> <PRE><CODE>index=* host=*obe2e*ap* code=NAV7000 | timechart span=1d dc(confirmationNumber) as "Stats" | append [search index=* source=*funnel*'step5' earliest=-1y+1d@h latest=-1y+1d+1h@h | timechart span=1d count as "Stats"] | sort _time </CODE></PRE> <P>I've tried adding <CODE>| table _time, Stats | fillnull Stats</CODE> but due to it already having a value cause by the append search, it won't work. I also tried renaming both fields, the first one into <CODE>Stats2</CODE> and second one into <CODE>Stats</CODE> and apply the same concept <CODE>| table _time, Stats, Stats2 | fillnull Stats2</CODE> and it works but it registers under the same date, and not a different one, therefore the <CODE>Single Value</CODE> visualization doesn't work.</P> <P>Help! <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Mon, 05 Aug 2019 15:06:58 GMT ecedwards 2019-08-05T15:06:58Z https://community.splunk.com/t5/Splunk-Search/Timechart-fillnull-with-append-search/m-p/432585#M123602 <P>So, I'm trying to come up with a way to compare data from this year and last year into a <CODE>Single Value</CODE> Graph but I am unable to force the 0 value into the first timechart with it's own date. This is my search query.</P> <PRE><CODE>index=* host=*obe2e*ap* code=NAV7000 | timechart span=1d dc(confirmationNumber) as "Stats" | append [search index=* source=*funnel*'step5' earliest=-1y+1d@h latest=-1y+1d+1h@h | timechart span=1d count as "Stats"] | sort _time </CODE></PRE> <P>I've tried adding <CODE>| table _time, Stats | fillnull Stats</CODE> but due to it already having a value cause by the append search, it won't work. I also tried renaming both fields, the first one into <CODE>Stats2</CODE> and second one into <CODE>Stats</CODE> and apply the same concept <CODE>| table _time, Stats, Stats2 | fillnull Stats2</CODE> and it works but it registers under the same date, and not a different one, therefore the <CODE>Single Value</CODE> visualization doesn't work.</P> <P>Help! <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Mon, 05 Aug 2019 15:06:58 GMT https://community.splunk.com/t5/Splunk-Search/Timechart-fillnull-with-append-search/m-p/432585#M123602 ecedwards 2019-08-05T15:06:58Z https://community.splunk.com/t5/Splunk-Search/Timechart-fillnull-with-append-search/m-p/432586#M123603 <P>Your logic (using <CODE>dc</CODE> one place and <CODE>count</CODE> the other) seems like it is highly likely to be INCORRECT, but, presuming that it is not, try this:</P> <PRE><CODE>(index=* host=*obe2e*ap* code=NAV7000) OR (index=* source=*funnel*'step5' earliest=-1y+1d@h latest=-1y+1d+1h@h) | timechart span=1d dc(confirmationNumber) AS ThisYear count(eval(source="*funnel*'step5')) AS LastYear | stats max(*) AS * | eval diff = ThisYear - LastYear </CODE></PRE> Mon, 05 Aug 2019 16:13:11 GMT https://community.splunk.com/t5/Splunk-Search/Timechart-fillnull-with-append-search/m-p/432586#M123603 woodcock 2019-08-05T16:13:11Z