topic Splunk replaces zero with null values. Chart Avg(value) omits all those null values, with this avg result is not correct. How to fix this? in Splunk Search https://community.splunk.com/t5/Splunk-Search/Splunk-replaces-zero-with-null-values-Chart-Avg-value-omits-all/m-p/244489#M189059 <P>Hi Everyone, I am a newbie to splunk. We are using splunk to monitor our custom perfmon counters. see the below search query. While performing avg on one of the counters, I am not getting the right result as i expect. I tried with fillnull and so on. Still the same issue. I can fill nulls but i can't those values of zero's in to consideration while calculating average. </P> <PRE><CODE>index=perfmon collection=ServiceBus counter="Sent/sec" instance="ABC" host ="XYZ" | Timechart avg(Value) </CODE></PRE> <P>Result from the above query. </P> <PRE><CODE>2016-06-27 23:46:00 2016-06-27 23:47:00 10 2016-06-27 23:48:00 10 2016-06-27 23:49:00 2016-06-27 23:50:00 10 2016-06-27 23:51:00 2016-06-27 23:52:00 2016-06-27 23:53:00 10 2016-06-27 23:54:00 2016-06-27 23:55:00 2016-06-27 23:56:00 10 2016-06-27 23:57:00 2016-06-27 23:58:00 2016-06-27 23:59:00 10 2016-06-28 00:00:00 2016-06-28 00:01:00 10 </CODE></PRE> <P>Below is the query that i use to calculate average. </P> <PRE><CODE>index=perfmon collection=ServiceBus counter="Sent/sec" instance="ABC" host ="XYZ" | chart avg(Value) </CODE></PRE> <P>Result from above query is <CODE>10</CODE> (since i have 7 event where data is non zero, sum all the values and divided by the total events = 70/7 = 10) . This is not the result what i am looking for. </P> <P>Expected Result is 70/16 = <CODE>4.375</CODE> . (I have 16 instances of data being reported in the timechart)</P> <P>Can someone help me out how to fix this issue? </P> <P>Thanks,<BR /> Dayananda</P> Wed, 06 Jul 2016 01:59:24 GMT dayananda7449 2016-07-06T01:59:24Z Splunk replaces zero with null values. Chart Avg(value) omits all those null values, with this avg result is not correct. How to fix this? https://community.splunk.com/t5/Splunk-Search/Splunk-replaces-zero-with-null-values-Chart-Avg-value-omits-all/m-p/244489#M189059 <P>Hi Everyone, I am a newbie to splunk. We are using splunk to monitor our custom perfmon counters. see the below search query. While performing avg on one of the counters, I am not getting the right result as i expect. I tried with fillnull and so on. Still the same issue. I can fill nulls but i can't those values of zero's in to consideration while calculating average. </P> <PRE><CODE>index=perfmon collection=ServiceBus counter="Sent/sec" instance="ABC" host ="XYZ" | Timechart avg(Value) </CODE></PRE> <P>Result from the above query. </P> <PRE><CODE>2016-06-27 23:46:00 2016-06-27 23:47:00 10 2016-06-27 23:48:00 10 2016-06-27 23:49:00 2016-06-27 23:50:00 10 2016-06-27 23:51:00 2016-06-27 23:52:00 2016-06-27 23:53:00 10 2016-06-27 23:54:00 2016-06-27 23:55:00 2016-06-27 23:56:00 10 2016-06-27 23:57:00 2016-06-27 23:58:00 2016-06-27 23:59:00 10 2016-06-28 00:00:00 2016-06-28 00:01:00 10 </CODE></PRE> <P>Below is the query that i use to calculate average. </P> <PRE><CODE>index=perfmon collection=ServiceBus counter="Sent/sec" instance="ABC" host ="XYZ" | chart avg(Value) </CODE></PRE> <P>Result from above query is <CODE>10</CODE> (since i have 7 event where data is non zero, sum all the values and divided by the total events = 70/7 = 10) . This is not the result what i am looking for. </P> <P>Expected Result is 70/16 = <CODE>4.375</CODE> . (I have 16 instances of data being reported in the timechart)</P> <P>Can someone help me out how to fix this issue? </P> <P>Thanks,<BR /> Dayananda</P> Wed, 06 Jul 2016 01:59:24 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-replaces-zero-with-null-values-Chart-Avg-value-omits-all/m-p/244489#M189059 dayananda7449 2016-07-06T01:59:24Z Re: Splunk replaces zero with null values. Chart Avg(value) omits all those null values, with this avg result is not correct. How to fix this? https://community.splunk.com/t5/Splunk-Search/Splunk-replaces-zero-with-null-values-Chart-Avg-value-omits-all/m-p/244490#M189060 <P>Like this:</P> <PRE><CODE>index=perfmon collection=ServiceBus counter="Sent/sec" instance="ABC" host ="XYZ" | timechart avg(Value) AS Value | fillnull value="0" Value | chart avg(Value) </CODE></PRE> Thu, 07 Jul 2016 19:24:05 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-replaces-zero-with-null-values-Chart-Avg-value-omits-all/m-p/244490#M189060 woodcock 2016-07-07T19:24:05Z Re: Splunk replaces zero with null values. Chart Avg(value) omits all those null values, with this avg result is not correct. How to fix this? https://community.splunk.com/t5/Splunk-Search/Splunk-replaces-zero-with-null-values-Chart-Avg-value-omits-all/m-p/244491#M189061 <P>We resolved this issue by adding showZeroValue = 1 in the inputs.config file for each and every category where we need splunk to captured zero value data while forwarding the data to splunk.</P> Wed, 02 Nov 2016 17:51:10 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-replaces-zero-with-null-values-Chart-Avg-value-omits-all/m-p/244491#M189061 dayananda7449 2016-11-02T17:51:10Z Re: Splunk replaces zero with null values. Chart Avg(value) omits all those null values, with this avg result is not correct. How to fix this? https://community.splunk.com/t5/Splunk-Search/Splunk-replaces-zero-with-null-values-Chart-Avg-value-omits-all/m-p/244492#M189062 <P>This is also relevant if you don't want to use the fillnull command. There's an option in the visualization tab.</P> <P><A href="https://answers.splunk.com/answers/474799/how-to-delete-data-points-with-null-values-by-host.html">https://answers.splunk.com/answers/474799/how-to-delete-data-points-with-null-values-by-host.html</A></P> Wed, 22 May 2019 21:32:51 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-replaces-zero-with-null-values-Chart-Avg-value-omits-all/m-p/244492#M189062 stoutrw 2019-05-22T21:32:51Z