Dashboards & Visualizations

Create pie chart that shows values >=0 also when there are no results!

reschal
Explorer

Hi,
i want to create a pie chart by different values what works well. I have the following problem: the pie chart shall display 0 when there is no event. I created a search that results a dummy value of 0: |appendpipe [stats count | eval NoResult= "0" | where count=0]

My query: index=abc OR index=def Statuscode="12345"|chart count by index||appendpipe [stats count | eval NoResult= "0" | where count=0]

how is it possible to "combine" the search "chart count by index" with the dummy value?

Thanks for your help!

Tags (1)
0 Karma
1 Solution

niketn
Legend

@reschal, appendpipe should add a entry with 0 value which should be visible in your pie chart. If you have more than 10 results and see others slice with one or more results, there is also a chance that Minimum Slice size threshold is being applied. If it is the case you need to change the threshold option to 0 to see the slice with 0 value.

Following is run anywhere search based on Splunk _internal index

        <search>
          <query>index=_internal sourcetype=splunkd
|  stats count by group
|  sort - count
|  head 20
|  appendpipe 
   [|  makeresults
  |  eval group="UnKnown",count=0
  |  table group count]
  | dedup group</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>

Following is the Simple XML Chart Configuration for Setting minimum size threshold charting.chart.sliceCollapsingThreshold:

<option name="charting.chart.sliceCollapsingThreshold">0</option>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma

niketn
Legend

@reschal, appendpipe should add a entry with 0 value which should be visible in your pie chart. If you have more than 10 results and see others slice with one or more results, there is also a chance that Minimum Slice size threshold is being applied. If it is the case you need to change the threshold option to 0 to see the slice with 0 value.

Following is run anywhere search based on Splunk _internal index

        <search>
          <query>index=_internal sourcetype=splunkd
|  stats count by group
|  sort - count
|  head 20
|  appendpipe 
   [|  makeresults
  |  eval group="UnKnown",count=0
  |  table group count]
  | dedup group</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>

Following is the Simple XML Chart Configuration for Setting minimum size threshold charting.chart.sliceCollapsingThreshold:

<option name="charting.chart.sliceCollapsingThreshold">0</option>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

reschal
Explorer

Thx for your support. Your query works but is there any option that my chart only shows the value Unknown(=0) if there is no other event? In case that my search shows some events the "dummy event" shall be removed.

0 Karma

niketn
Legend

Yes you should do a dedup by index in the end i.e. | dedup index.

Since we are appending dummy value/s in the end of the result, if multiple values for same field value remains it will pick up the first (in other words the one from the query result). As you can see I have | dedup group as my final pipe.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Get Updates on the Splunk Community!

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Hey, Splunk Community! Ready to take your data management skills to the next level? Join us for a 3-part ...

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

In today's digital financial ecosystem, security teams face an unprecedented challenge. The sheer volume of ...

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability As businesses scale ...