Dashboards & Visualizations

Single with timechart display issue

Chris_Semon
New Member

I have a query that counts totals for each day for the past 7 days and produces these results: 2, 0, 2, 0, 0, 0, 0. No matter what I do, the SINGLE with timechart and trendlines enabled produced ignores the trailing zeros and displays a 2, with a trendling of increasing 2. It should diplay a zero with a zero trend line representing the last two segments (both zero).

Before the main query (as recommended) I have used the | makeresults earliest"-7d@d" count =0 to ensure the days with zero count are included. I have tried the suggested appendpipe option:

| appendpipe [| stats count | where count=0 | addinfo | eval _time=info_min_time | table _time count]


and the appendpipe with max(count) option:

| appendpipe [| stats count | where count=0 | addinfo | eval time=info_min_time." ".info_max_time | table time count | makemv time | mvexpand time | rename time as _time | timechart span=1d max(count) as count]


Neither create the correct timechart.

From the dashboard in the Edit UI mode, if I click on the query magnifying glass and open in a new tab, the results do NOT diplay the trailing zeros.

If I copy and paste the query into a search bar with the time picker set to All Time, I get the correct values: 2, 0, 2, 0, 0, 0, 0. Is there an option setting I may have wrong? How do I fix this?

Labels (1)
0 Karma

Chris_Semon
New Member

Thank you for your help, but I figured out what was wrong. The query I am using pulls data from a relational database. We have created a macro that converts the SPL into the query language for that DB and part of that includes the time frame. So essentially, for those queries the time picker is irrelevant. As I stated previously, the query works fine in the splunk search bar. However, in the dashboard, the query is the PARENT Query, and the results are filtered by subsequent child queries. The child queries have no concept of the earliest or latest,  even though they are supposed to inherit that from the parent query, and the SPL doesn't allow you to put that code in after the filter query. Our problem was that since the Parent Query didn't use the earliest and latest times, we deleted the code that defined that after the query. Once I reinserted the code for the earliest and latest times after the Parent Query, the Single with trend lines worked as they should.

0 Karma

bowesmana
SplunkTrust
SplunkTrust

Can you give a bit more about your query because having to use appendpipe to get dates filled in seems a little unusual. This example

| makeresults
| eval count=split("2,0,2,0,0,0,0",",")
| mvexpand count
| streamstats c
| eval _time=now() - ((7 - c) * 86400)
| fields - c

will produce this single viz whether or not you add

| timechart span=1d max(count) as count

bowesmana_0-1712099388384.png

 

0 Karma

marnall
Builder

I don't fully understand what you mean... would it be possible to include screenshots demonstrating the timechart you would like (using the All-time search) versus what you get? Also a full query (without private information) would be very helpful.

E.g. something like this?

marnall_0-1712089677436.png

 

0 Karma
Get Updates on the Splunk Community!

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...

Adoption of Infrastructure Monitoring at Splunk

  Splunk's Growth Engineering team showcases one of their first Splunk product adoption-Splunk Infrastructure ...