add custom name in chart viz for empty space

kpavan · ‎06-19-2020

Hi All,

I got requirement where we need to display custom name like "maintenance" during planned activity when there will be no data and while displaying in chart currently its empty space, but needed to display as maintenance as custom word. I tried with fillnull it doesn't show in chart but in table it does.

index=myindex source=mysource status=*
| timechart count as total, count(eval(status=="PASS")) as Success,count(eval(status=="Fail")) as Failure
| eval PF=round((Failure/total)*100), "Success%"=round((100-PF))

Please let me know any suggestions to achieve this.

Thanks!
Pavan

niketn · ‎06-21-2020

@kpavan you have following 2 options:

Option 1 : Splunk built in Chart Event Annotation: https://docs.splunk.com/Documentation/Splunk/latest/Viz/ChartEventAnnotations

Option 2 : Region Chart Custom Visualization by @chrisyounger : https://splunkbase.splunk.com/app/4911/

Following is a run anywhere example for both examples above. The example assumes maintenance window every Sunday from 8:00 PM to midnight.

PS: For the second option to work you would need to get Region Chart custom visualization from Splunkbase.

<dashboard theme="light">
  <label>Maintenance Window</label>
  <row>
    <panel>
      <title>Option 1: Maintenance Window using Splunk Chart Event Annotation</title>
      <chart>
        <search type="annotation">
          <query>| makeresults
| addinfo
| eval _time=split($tokEarliestTime|s$."|".$tokLatestTime|s$,"|")
| stats count by _time
| timechart count span=1h
| fields - count
| eval isMaintenanceWindow=if(strftime(_time,"%a")=="Sun" AND tonumber(strftime(_time,"%H"))&gt;20,"Maintenance Window Sunday 8:00 PM - 11:59 PM","Regular")
| search isMaintenanceWindow="Maintenance Window Sunday 8:00 PM - 11:59 PM"
| eval annotation_label=isMaintenanceWindow</query>
        </search>
        <search>
          <query>index=_internal sourcetype=splunkd log_level=WARN
| timechart count as ERRORS span=1h
| fillnull value=0 ERRORS</query>
          <earliest>-15d@d</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
          <progress>
            <eval token="tokEarliestTime">strptime($job.earliestTime$,"%Y-%m-%dT%H:%M:%S.%3N%z")</eval>
            <eval token="tokLatestTime">strptime($job.latestTime$,"%Y-%m-%dT%H:%M:%S.%3N%z")</eval>
          </progress>
        </search>
        <!-- Secondary search that drives the annotations -->
        <option name="charting.axisTitleX.visibility">collapsed</option>
        <option name="charting.axisTitleY.visibility">collapsed</option>
        <option name="charting.chart">line</option>
        <option name="charting.legend.placement">none</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
  </row>
  <row>
    <panel id="panel_chart_error_trend">
      <title>Option 2: Maintenance Window using Region Chart Custom Visualization</title>
      <viz type="region_chart_viz.region_chart_viz">
        <search>
          <progress>
            <eval token="tokEarliestTime">strptime($job.earliestTime$,"%Y-%m-%dT%H:%M:%S.%3N%z")</eval>
            <eval token="tokLatestTime">strptime($job.latestTime$,"%Y-%m-%dT%H:%M:%S.%3N%z")</eval>
          </progress>
          <query>index=_internal sourcetype=splunkd log_level=WARN
| timechart count as ERRORS span=1h
| fillnull value=0 ERRORS
| eval regions=if(strftime(_time,"%a")=="Sun" AND tonumber(strftime(_time,"%H"))&gt;20,"Maintenance Window Sunday 8:00 PM - 11:59 PM=red","")</query>
          <earliest>-15d@d</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="drilldown">all</option>
        <option name="refresh.display">progressbar</option>
      </viz>
    </panel>
  </row>
</dashboard>

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

add custom name in chart viz for empty space

chart

Enterprise Security Content Update (ESCU) | New Releases

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We’ve Got Education Validation!