Solved: timechart return 0 if no results found

amitdaniel · ‎04-17-2018

Hi .
I have a sourcetype = Queue and i'm sending the number of messages waiting in the queue .

index=monitoring sourcetype=Qeueue Account=azbcd ( QueueName="test123") | timechart max(MessageCount) as MessageCount span=30minute

But if the number of messages = 0 i'm not sending any data to Splunk ( Actually if i'll not find a solution i'll fix my code to send 0 but i want to avoid that )

Look at the picture you can see that when the messageCount=0 i have a "hole" in the graph .
Is there a way to add if condition or something else that will say if we don't have data put 0 ?

Thanks ,
Amit

p_gurav · ‎04-17-2018

You can use Zero option for "Null Values" in Format tab. Refer doc:
https://docs.splunk.com/Documentation/Splunk/7.0.3/Viz/LineAreaCharts#Configuration_options

View solution in original post

TISKAR · ‎04-18-2018

Hello,
Can you try this please,

index=monitoring sourcetype=Qeueue Account=azbcd ( QueueName="test123") | timechart max(MessageCount) as MessageCount span=30minute | fillnull value=0

Also you can use make continous command:

https://docs.splunk.com/Documentation/Splunk/7.0.3/SearchReference/Makecontinuous

Regards

p_gurav · ‎04-17-2018

You can use Zero option for "Null Values" in Format tab. Refer doc:
https://docs.splunk.com/Documentation/Splunk/7.0.3/Viz/LineAreaCharts#Configuration_options

amitdaniel · ‎04-18-2018

Thank you !

niketn · ‎04-18-2018

The command equivalent for this would be | fillull value=0 to be added after the timechart command.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

timechart return 0 if no results found

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!