Re: display '0' in single value with timechart

Mike6960 · ‎02-26-2018

My search displays 'no results'

index=* sourcetype="CKBG"
| where CB != GB
| timechart count span=1d

When I use statscount instead it displays '0' . This also what I need. Ik palyed around with fillnull but dont seem to get it working

mayurr98 · ‎02-26-2018

Try like this

index=* sourcetype="CKBG"
| where CB != GB
| timechart span=1d count  | appendpipe [| stats count | where count=0 | addinfo | eval _time=info_min_time | table _time count]

OR

 index=* sourcetype="CKBG"
| where CB != GB
| timechart span=1d count | appendpipe [| stats count | where count=0 | addinfo | eval time=info_min_time." ".info_max_time | table time count | makemv time| mvexpand time | rename time as _time | timechart span=1d max(count) as count]

let me know if this helps!

Mike6960 · ‎02-26-2018

Thanks, the first one works. Don't really understand how it works but thats beside the point. Only thing is that it does not show a trendline now. Second one does not display results.

mayurr98 · ‎02-26-2018

what is your exact query?

Mike6960 · ‎02-26-2018

the one i put in my question

Mike6960 · ‎02-26-2018

mayurr98 · ‎02-26-2018

how will it show trendline automatically? you would need to use trendline command at the end of the query right?

Mike6960 · ‎02-26-2018

No, trendline is selected in 'menu' 'formatting visualisation'

kamlesh_vaghela · ‎02-26-2018

Can you please look at this answer:
https://answers.splunk.com/answers/176466/how-to-use-eval-if-there-is-no-result-from-the-bas-1.html
It might give you an answer.

Mike6960 · ‎02-26-2018

This answers 'talks' about when there is no result. I have a result, but that is '0' . Besides that, I use a timechart which isn't mentioned in the answer

display '0' in single value with timechart

Developer Spotlight with Paul Stout

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

Data-Driven Success: Splunk & Financial Services