Dashboards & Visualizations

How to display a certain value in a single value chart when the value is not equal to zero?


hi! I have a single value chart wherein I want to display a certain value if that value is not equal to zero. I have three values, BAD, WARNING GOOD. when either each of these values turns to zero I will not display it in the single value and the non zero value will be the one displayed in my single value chart.

here is my search:

| ... mysearch 
|eval RT = T + Tt
|eval Rt = R + Rr
|eval Target= Rt * 600

|eval Bad = if((RT>Target),RT,0)
|eval Warning = if((RT<=(Target-1)) AND (RT>(Target/2)),RT,0)
|eval Good = if((RT<=((Target/2)-1)),RT,0)
0 Karma

Path Finder

I'd try a case statement. If I follow your logic it might look something like this. This way you end up with just one field and one value to then display in your single value visualization. The "fixme" at the end is just in case there is some logic issues to work out you get some result vs everything not evaluating as true.

| eval foo = case(RT>Target, "Bad", RT<=(Target-1) AND (RT>(Target/2)), "Warning", RT<=((Target/2)-1), "Good", 1=1, "fixme")
| fields foo

0 Karma


I will try this then I will get back if this works for me, thank you so much!

0 Karma

Revered Legend

Can you provide expected output with sample values of fields Bad/Warning/Good?

0 Karma


Depending on the condition, these values can go Like this,

Good Warning Bad
0 0 100
100 0 0

as you notice, depending on the condition, only one contains a value while two values remain at zero

0 Karma
Get Updates on the Splunk Community!

Maximize the Value from Microsoft Defender with Splunk

<P style=" text-align: center; "><span class="lia-inline-image-display-wrapper lia-image-align-center" ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

<FONT size="5"><FONT size="5" color="#FF00FF">Get the latest news and updates from the Splunk Community ...