Splunk Search

Chart force line chart to show zero when no results

Explorer

Hi, I have a realtime chart that monitors the current messages in queue,

my search string right now is

  host=host1 sourcetype="Perfmon:MSMQ Queue" "instance=instance2" OR "instance=instance1"

sometimes no results are returned due to the queue having 0 messages for over a long period of time,
Is it possible on splunk line chart to force it to show 0 value when no results are returned?

thanks in advance

Tags (2)
0 Karma

Contributor

It really depends on your timechart statement. Assuming that you measure instance1 and instance2 counts you can force both metrics to appear by adding | fillnull value=0 instance1 instance2 after your timechart statement.

0 Karma

Champion
0 Karma

Splunk Employee
Splunk Employee

If I'm understanding you correctly, you'd like a timechart of how many messages you are receiving over time. If so, try this:

host=host1 sourcetype="Perfmon:MSMQ Queue" instance="instance2" OR instance="instance1" | timechart count

0 Karma

SplunkTrust
SplunkTrust

host=host1 sourcetype="Perfmon:MSMQ Queue" instance="instance2" OR instance="instance1" | stats count

This will show the current count of events, even when it's 0. Is there a specific counter you are looking for?

0 Karma