Hi,
i want to create a pie chart by different values what works well. I have the following problem: the pie chart shall display 0 when there is no event. I created a search that results a dummy value of 0: |appendpipe [stats count | eval NoResult= "0" | where count=0]
My query: index=abc OR index=def Statuscode="12345"|chart count by index||appendpipe [stats count | eval NoResult= "0" | where count=0]
how is it possible to "combine" the search "chart count by index" with the dummy value?
Thanks for your help!
@reschal, appendpipe should add a entry with 0 value which should be visible in your pie chart. If you have more than 10 results and see others
slice with one or more results, there is also a chance that Minimum Slice size threshold is being applied. If it is the case you need to change the threshold option to 0 to see the slice with 0 value
.
Following is run anywhere search based on Splunk _internal index
<search>
<query>index=_internal sourcetype=splunkd
| stats count by group
| sort - count
| head 20
| appendpipe
[| makeresults
| eval group="UnKnown",count=0
| table group count]
| dedup group</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
Following is the Simple XML Chart Configuration for Setting minimum size threshold charting.chart.sliceCollapsingThreshold
:
<option name="charting.chart.sliceCollapsingThreshold">0</option>
@reschal, appendpipe should add a entry with 0 value which should be visible in your pie chart. If you have more than 10 results and see others
slice with one or more results, there is also a chance that Minimum Slice size threshold is being applied. If it is the case you need to change the threshold option to 0 to see the slice with 0 value
.
Following is run anywhere search based on Splunk _internal index
<search>
<query>index=_internal sourcetype=splunkd
| stats count by group
| sort - count
| head 20
| appendpipe
[| makeresults
| eval group="UnKnown",count=0
| table group count]
| dedup group</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
Following is the Simple XML Chart Configuration for Setting minimum size threshold charting.chart.sliceCollapsingThreshold
:
<option name="charting.chart.sliceCollapsingThreshold">0</option>
Thx for your support. Your query works but is there any option that my chart only shows the value Unknown(=0) if there is no other event? In case that my search shows some events the "dummy event" shall be removed.
Yes you should do a dedup
by index
in the end i.e. | dedup index
.
Since we are appending dummy value/s in the end of the result, if multiple values for same field value remains it will pick up the first (in other words the one from the query result). As you can see I have | dedup group
as my final pipe.