Dashboards & Visualizations
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Single with timechart display issue

Chris_Semon
New Member
‎04-02-2024 09:50 AM

I have a query that counts totals for each day for the past 7 days and produces these results: 2, 0, 2, 0, 0, 0, 0. No matter what I do, the SINGLE with timechart and trendlines enabled produced ignores the trailing zeros and displays a 2, with a trendling of increasing 2. It should diplay a zero with a zero trend line representing the last two segments (both zero).

Before the main query (as recommended) I have used the | makeresults earliest"-7d@d" count =0 to ensure the days with zero count are included. I have tried the suggested appendpipe option:

| appendpipe [| stats count | where count=0 | addinfo | eval _time=info_min_time | table _time count]


and the appendpipe with max(count) option:

| appendpipe [| stats count | where count=0 | addinfo | eval time=info_min_time." ".info_max_time | table time count | makemv time | mvexpand time | rename time as _time | timechart span=1d max(count) as count]


Neither create the correct timechart.

From the dashboard in the Edit UI mode, if I click on the query magnifying glass and open in a new tab, the results do NOT diplay the trailing zeros.

If I copy and paste the query into a search bar with the time picker set to All Time, I get the correct values: 2, 0, 2, 0, 0, 0, 0. Is there an option setting I may have wrong? How do I fix this?

Labels (1)
Labels
0 Karma
Reply

Chris_Semon
New Member
‎04-03-2024 07:30 AM

Thank you for your help, but I figured out what was wrong. The query I am using pulls data from a relational database. We have created a macro that converts the SPL into the query language for that DB and part of that includes the time frame. So essentially, for those queries the time picker is irrelevant. As I stated previously, the query works fine in the splunk search bar. However, in the dashboard, the query is the PARENT Query, and the results are filtered by subsequent child queries. The child queries have no concept of the earliest or latest,  even though they are supposed to inherit that from the parent query, and the SPL doesn't allow you to put that code in after the filter query. Our problem was that since the Parent Query didn't use the earliest and latest times, we deleted the code that defined that after the query. Once I reinserted the code for the earliest and latest times after the Parent Query, the Single with trend lines worked as they should.

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎04-02-2024 04:12 PM

Can you give a bit more about your query because having to use appendpipe to get dates filled in seems a little unusual. This example

| makeresults
| eval count=split("2,0,2,0,0,0,0",",")
| mvexpand count
| streamstats c
| eval _time=now() - ((7 - c) * 86400)
| fields - c

will produce this single viz whether or not you add

| timechart span=1d max(count) as count

bowesmana_0-1712099388384.png

 

0 Karma
Reply

marnall
Motivator
‎04-02-2024 01:28 PM

I don't fully understand what you mean... would it be possible to include screenshots demonstrating the timechart you would like (using the All-time search) versus what you get? Also a full query (without private information) would be very helpful.

E.g. something like this?

marnall_0-1712089677436.png

 

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...