Solved: Why is my linechart with count 0 shows up as count...

Bleepie · ‎03-10-2022

Dear Splunk community,

I have the following query:

index="myIndex"
source="*mySource*" 
nameOfLog* 
"ExitCode: 0" 
| stats count by _time

Once a day a event is generated. So either it was generated (count = 1) or it was not (count = 0).

I have a line diagram for the last 30 days that looks like this:

On February 20th there was one event generated. On 23 February there was one event generated. On 21th and 22th of February, no events were generated. Therefore I expect the line to go down in the line chart like so:

------_-------

This is not happening, and I am wondering why. How do I adjust this to show count=0 in the chart aswell? Thanks.

ITWhisperer · ‎03-10-2022

There are no events so nothing is charted - use timechart to generate events with zero counts

| timechart count

View solution in original post

venky1544 · ‎03-10-2022

Hi @Bleepie

did you tried

|timechart span=1d count by _time

ITWhisperer · ‎03-10-2022

There are no events so nothing is charted - use timechart to generate events with zero counts

| timechart count

Why is my linechart with count 0 shows up as count 1?

chart

panel

timechart

Developer Spotlight with Paul Stout

Preparing your Splunk Environment for OpenSSL3

Deprecation of Splunk Observability Kubernetes “Classic Navigator” UI starting ...