Dashboards & Visualizations

Single with timechart display issue

New Member

I have a query that counts totals for each day for the past 7 days and produces these results: 2, 0, 2, 0, 0, 0, 0. No matter what I do, the SINGLE with timechart and trendlines enabled produced ignores the trailing zeros and displays a 2, with a trendling of increasing 2. It should diplay a zero with a zero trend line representing the last two segments (both zero).

Before the main query (as recommended) I have used the | makeresults earliest"-7d@d" count =0 to ensure the days with zero count are included. I have tried the suggested appendpipe option:

| appendpipe [| stats count | where count=0 | addinfo | eval _time=info_min_time | table _time count]

and the appendpipe with max(count) option:

| appendpipe [| stats count | where count=0 | addinfo | eval time=info_min_time." ".info_max_time | table time count | makemv time | mvexpand time | rename time as _time | timechart span=1d max(count) as count]

Neither create the correct timechart.

From the dashboard in the Edit UI mode, if I click on the query magnifying glass and open in a new tab, the results do NOT diplay the trailing zeros.

If I copy and paste the query into a search bar with the time picker set to All Time, I get the correct values: 2, 0, 2, 0, 0, 0, 0. Is there an option setting I may have wrong? How do I fix this?

Labels (1)
0 Karma

New Member

Thank you for your help, but I figured out what was wrong. The query I am using pulls data from a relational database. We have created a macro that converts the SPL into the query language for that DB and part of that includes the time frame. So essentially, for those queries the time picker is irrelevant. As I stated previously, the query works fine in the splunk search bar. However, in the dashboard, the query is the PARENT Query, and the results are filtered by subsequent child queries. The child queries have no concept of the earliest or latest,  even though they are supposed to inherit that from the parent query, and the SPL doesn't allow you to put that code in after the filter query. Our problem was that since the Parent Query didn't use the earliest and latest times, we deleted the code that defined that after the query. Once I reinserted the code for the earliest and latest times after the Parent Query, the Single with trend lines worked as they should.

0 Karma


Can you give a bit more about your query because having to use appendpipe to get dates filled in seems a little unusual. This example

| makeresults
| eval count=split("2,0,2,0,0,0,0",",")
| mvexpand count
| streamstats c
| eval _time=now() - ((7 - c) * 86400)
| fields - c

will produce this single viz whether or not you add

| timechart span=1d max(count) as count



0 Karma


I don't fully understand what you mean... would it be possible to include screenshots demonstrating the timechart you would like (using the All-time search) versus what you get? Also a full query (without private information) would be very helpful.

E.g. something like this?



0 Karma
Get Updates on the Splunk Community!

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...