Splunk Search

Force plot empty columns


I am trying to plot a 4 column chart, say 'A, B, C, D', where each column value is actually a single value series (so that we can color code each column consistently).

I have set 4 pre-defined column labels, and can generally pass the data to them and have it plotted so that each column aligns to the label.

However, the search that generates the data may not always return any series data for some of the columns - for example:-

Col ColA    ColB    ColC    ColD
B   0   6   0   0
D   0   0   0   3

In this example the chart columns start trying to reformat the column widths - especially, as in the example above, if there is a 'gap' between two populated columns.

I've tried every combination of "useAbsoluteSpacing" etc I can think of and cannot seem to get consistent plotting. From what I can think, I may have two options to try and get this to work:-

  • Is there a way to force a column chart to plot consistently even if there is no series data for some of the expected columns
  • Is there a way to create 'null\empty' column fields in my search, and if so would passing this populated with zeros force the consistent format.

E.g if the following search returns the results shown above, can I 'fake' results for A and C

... | chart 
count(eval(match(Metric,"A"))) AS "ColA", 
count(eval(match(Metric,"B"))) AS "ColB",
count(eval(match(Metric,"C"))) AS "ColC",
count(eval(match(Metric,"D"))) AS "ColD" 
by Metric



I've tried playing with Append and AppendCols and I can get what I want, but now have hit a new issue.

If I use an append command at the end of my search this genrates a 'C' row and adds a 0 to 'ColC':-

SEARCH COMMAND WITH CHARTING | append [|stats count AS "ColC" | eval Metric="C"]

This is exactly what I want, as when I plot the graph it has now properly spaces the columns 🙂

However, if there already is a row 'C' in my results, it generates a duplicate row 'C' and corrupts the graph completely 😞

Conversely, if I use "appendcols" instead, it doesn't generate the duplicate row, but doesn't create one if it's missing in the first place.

I'm now into some sort of conditional check to try and switch between append and appendcols depending on whether the results already have a 'ColC' value and am stuck. My search is also about 100x more complex than it needs to be, and I get the feeling I'm missing a simple option somewhere!

0 Karma
Get Updates on the Splunk Community!

Take the 2021 Splunk Career Survey for $50 in Amazon Cash

Help us learn about how Splunk has impacted your career by taking the 2021 Splunk Career Survey. Last year’s ...

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...

Observability Newsletter Highlights | March 2023

 March 2023 | Check out the latest and greatestSplunk APM's New Tag Filter ExperienceSplunk APM has updated ...