Format vizualisation not showing trend settings

snigdhasaxena · ‎09-05-2019

I have added timechart and span in my query for dashboard panel (single value visualization). While panel shows trend settings for other panels with similar query, the 2 panels do not get it

richgalloway · ‎09-06-2019

If there are no events returned then there is no trend. However, to display "0" instead of "No results found" use appendpipe.

index=xyz EventCode=4624 OR EventCode=4625 |timechart span=24h count by user 
| appendpipe [ stats count | eval user="N/A" | where count==0 ]

---
If this reply helps you, Karma would be appreciated.

richgalloway · ‎09-05-2019

Obviously, something is different between the one panel that works and the two that don't. I can't see your screen from here, so you'll have to describe the differences to me before I can help.

---
If this reply helps you, Karma would be appreciated.

snigdhasaxena · ‎09-05-2019

Query for the panel that doesn't show trend indicator settings :
index=xyz EventCode=4624 OR EventCode=4625 |timechart span=24h count by user

Query for the panel that shows trend indicator settings:
index=xyz (sourcetype=linux_secure eventtype="sshd_authentication" ) OR (eventtype=wineventlog_security AND EventCode=4625) |timechart span=4h values(src_ip) by user| timechart span=24h count

snigdhasaxena · ‎09-05-2019

@richgalloway What I found is if my search doesn't retrieve any events it doesn't show trend settings and says "No result found" while if it shows events , it shows the trend, sparkline,etc. What can we do to fix "No result found" and get indicators for 0 events as well ?

Format vizualisation not showing trend settings

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life