Splunk Search

Force plot empty columns


I am trying to plot a 4 column chart, say 'A, B, C, D', where each column value is actually a single value series (so that we can color code each column consistently).

I have set 4 pre-defined column labels, and can generally pass the data to them and have it plotted so that each column aligns to the label.

However, the search that generates the data may not always return any series data for some of the columns - for example:-

Col ColA    ColB    ColC    ColD
B   0   6   0   0
D   0   0   0   3

In this example the chart columns start trying to reformat the column widths - especially, as in the example above, if there is a 'gap' between two populated columns.

I've tried every combination of "useAbsoluteSpacing" etc I can think of and cannot seem to get consistent plotting. From what I can think, I may have two options to try and get this to work:-

  • Is there a way to force a column chart to plot consistently even if there is no series data for some of the expected columns
  • Is there a way to create 'null\empty' column fields in my search, and if so would passing this populated with zeros force the consistent format.

E.g if the following search returns the results shown above, can I 'fake' results for A and C

... | chart 
count(eval(match(Metric,"A"))) AS "ColA", 
count(eval(match(Metric,"B"))) AS "ColB",
count(eval(match(Metric,"C"))) AS "ColC",
count(eval(match(Metric,"D"))) AS "ColD" 
by Metric



I've tried playing with Append and AppendCols and I can get what I want, but now have hit a new issue.

If I use an append command at the end of my search this genrates a 'C' row and adds a 0 to 'ColC':-

SEARCH COMMAND WITH CHARTING | append [|stats count AS "ColC" | eval Metric="C"]

This is exactly what I want, as when I plot the graph it has now properly spaces the columns 🙂

However, if there already is a row 'C' in my results, it generates a duplicate row 'C' and corrupts the graph completely 😞

Conversely, if I use "appendcols" instead, it doesn't generate the duplicate row, but doesn't create one if it's missing in the first place.

I'm now into some sort of conditional check to try and switch between append and appendcols depending on whether the results already have a 'ColC' value and am stuck. My search is also about 100x more complex than it needs to be, and I get the feeling I'm missing a simple option somewhere!

0 Karma
Get Updates on the Splunk Community!

Dashboard Studio Challenge - Learn New Tricks, Showcase Your Skills, and Win Prizes!

Reimagine what you can do with your dashboards. Dashboard Studio is Splunk’s newest dashboard builder to ...

Introducing Edge Processor: Next Gen Data Transformation

We get it - not only can it take a lot of time, money and resources to get data into Splunk, but it also takes ...

Take the 2021 Splunk Career Survey for $50 in Amazon Cash

Help us learn about how Splunk has impacted your career by taking the 2021 Splunk Career Survey. Last year’s ...