Dashboards & Visualizations

replace "0" with "-" in chart count by two fields

l_
Loves-to-Learn Everything

I have been trying to make heatmap in Splunk dashboard

i want to replace "0" with "-" in the cell of chart count by two fields when the cell is no data.

How do I accomplish this?

 

EX)

DATA:

FIELD1,FIELD2,FIELD3

a,A,x

a,A,x

b,B,x

a,B,

 

| chart count(isnotnull(FIELD3)) AS countA by FIELD2,FIELD1

 

Relults I want:

    a  b  

A 2   -

B 0  1

 

Now Relults:

    a  b  

A 2  0

B 0  1

Labels (3)
0 Karma

l_
Loves-to-Learn Everything

For example, I'd like to distinguish

- exist FIELD1,FIELD2 / not exist FIELD3

- not exist FIELD1,FIELD2,FIELD3

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| foreach *
  [| eval <<FIELD>>=if(<<FIELD>>==0,"-",<<FIELD>>)]
0 Karma

l_
Loves-to-Learn Everything

Thank you for your reply.

I tried it, but I'm currently experiencing this errors.

--------------------Failed to parse templatized search for field 'xxx'

for all 35 fields..

What should i do?

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

OK so your fields aren't called "Field1" or "Field2"?

Try putting the field name placeholders in quotes like this

| foreach *
  [| eval "<<FIELD>>"=if('<<FIELD>>'==0,"-",'<<FIELD>>')]

Note double quotes before the = and single quotes afterwards.

0 Karma

l_
Loves-to-Learn Everything

>OK so your fields aren't called "Field1" or "Field2"?

Actually, yes.

Thank you so much.  I could replace "0" with "-".

Can you distinguish at my example like below 

- 0 expression : exist FIELD1,FIELD2 / not exist FIELD3

- 0 expression : not exist FIELD1,FIELD2,FIELD3

 

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...