Dashboards & Visualizations

When counting by _time how can you show the previous hours stats value if there is no events during a hour?

Path Finder

I am creating a two column, column chart comparing how many necklaces we made (column 1) vs. how many we need (column 2). The chart is split up by hour starting from @d-22h to now(). Yet, if no necklaces are created during a hour, the columns will not be produced and will leave a blank space.

If no events in a hour:

Necklaces made=constant value of necklace made during last event hour (constant)

Goal= hour*60 (increase by 60 every hour)

current chart:


What I want:


Purple rectangles=646 (constant)
Orange rectangles= previous Goal value +60 (box1=540+60; box2=600+60)

Code: ------------------------------------------------------------------------

|makeresults|eval early_relative = "@d-2h"|eval late = "@d+22h"
|eval date_hour=strftime(now(),"%H")
|eval timeofday=case((date_hour>=22 AND date_hour<=23),"@d+22h,now",(date_hour>=0 AND date_hour<22),"@d-2h,now")
|eval split=split(timeofday,",")
|eval early_relative=mvindex(split,0)
|eval early_date=strftime(relative_time(now(),early_relative),"%m/%d/%y %H:%M:%S")
|eval late = if(mvindex(split,1)="now",now(),relative_time(now(),mvindex(split,1)))
|eval late_date = strftime(if(mvindex(split,1)="now",now(),relative_time(now(),mvindex(split,1))),"%m/%d/%y %H:%M:%S")
|eval test = strftime(late,"%m/%d/%y %H:%M:%S")

|map search="search index=..... earliest=\"$early_relative$\" latest=$late$
|eval hour=1|eval date_hour=strftime(now(),\"%H\")
|eval timeofday=case((date_hour>=22 AND date_hour<=23),\"@d+22h,now\",(date_hour>=0 AND date_hour<22),\"@d-2h,now\")
|eval late=$late_date$
|eval early=$early_date$
|bucket _time span=1h
|eval Time=strftime(_time,\"%H\")
|eval Goal_hour=case((Time=22),1,(Time=23),2,(Time>=0 AND Time<22),Time+3)
|eval Goal=Goal_hour*60
|stats count(Neckles) as Actual_Made by _time Goal |accum Actual_Made"

Please help!!! Thank you.


Labels (3)
0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...