Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Force plot empty columns

apackard
Engager
‎06-30-2013 05:49 AM

I am trying to plot a 4 column chart, say 'A, B, C, D', where each column value is actually a single value series (so that we can color code each column consistently).

I have set 4 pre-defined column labels, and can generally pass the data to them and have it plotted so that each column aligns to the label.

However, the search that generates the data may not always return any series data for some of the columns - for example:-

Col ColA    ColB    ColC    ColD
B   0   6   0   0
D   0   0   0   3

In this example the chart columns start trying to reformat the column widths - especially, as in the example above, if there is a 'gap' between two populated columns.

I've tried every combination of "useAbsoluteSpacing" etc I can think of and cannot seem to get consistent plotting. From what I can think, I may have two options to try and get this to work:-

  • Is there a way to force a column chart to plot consistently even if there is no series data for some of the expected columns
  • Is there a way to create 'null\empty' column fields in my search, and if so would passing this populated with zeros force the consistent format.

E.g if the following search returns the results shown above, can I 'fake' results for A and C

... | chart 
count(eval(match(Metric,"A"))) AS "ColA", 
count(eval(match(Metric,"B"))) AS "ColB",
count(eval(match(Metric,"C"))) AS "ColC",
count(eval(match(Metric,"D"))) AS "ColD" 
by Metric
Reply

apackard
Engager
‎06-30-2013 11:15 AM

Update.

I've tried playing with Append and AppendCols and I can get what I want, but now have hit a new issue.

If I use an append command at the end of my search this genrates a 'C' row and adds a 0 to 'ColC':-

SEARCH COMMAND WITH CHARTING | append [|stats count AS "ColC" | eval Metric="C"]

This is exactly what I want, as when I plot the graph it has now properly spaces the columns 🙂

However, if there already is a row 'C' in my results, it generates a duplicate row 'C' and corrupts the graph completely 😞

Conversely, if I use "appendcols" instead, it doesn't generate the duplicate row, but doesn't create one if it's missing in the first place.

I'm now into some sort of conditional check to try and switch between append and appendcols depending on whether the results already have a 'ColC' value and am stuck. My search is also about 100x more complex than it needs to be, and I get the feeling I'm missing a simple option somewhere!

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

For the past four years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

Data-Driven Success: Splunk & Financial Services

Splunk streamlines the process of extracting insights from large volumes of data. In this fast-paced world, ...