Chart force line chart to show zero when no result...

markgomez00 · ‎10-10-2013

Hi, I have a realtime chart that monitors the current messages in queue,

my search string right now is

  host=host1 sourcetype="Perfmon:MSMQ Queue" "instance=instance2" OR "instance=instance1"

sometimes no results are returned due to the queue having 0 messages for over a long period of time,
Is it possible on splunk line chart to force it to show 0 value when no results are returned?

thanks in advance

sansay · ‎11-25-2014

It really depends on your timechart statement. Assuming that you measure instance1 and instance2 counts you can force both metrics to appear by adding | fillnull value=0 instance1 instance2 after your timechart statement.

the_wolverine · ‎02-13-2014

http://answers.splunk.com/answers/118496/fill-in-0-for-timechart-with-missing-values

Simon_Fishel · ‎10-10-2013

If I'm understanding you correctly, you'd like a timechart of how many messages you are receiving over time. If so, try this:

host=host1 sourcetype="Perfmon:MSMQ Queue" instance="instance2" OR instance="instance1" | timechart count

alacercogitatus · ‎10-10-2013

host=host1 sourcetype="Perfmon:MSMQ Queue" instance="instance2" OR instance="instance1" | stats count

This will show the current count of events, even when it's 0. Is there a specific counter you are looking for?

Chart force line chart to show zero when no results

Developer Spotlight with Paul Stout

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

Data-Driven Success: Splunk & Financial Services