Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Force plot empty columns
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Force plot empty columns
I am trying to plot a 4 column chart, say 'A, B, C, D', where each column value is actually a single value series (so that we can color code each column consistently).
I have set 4 pre-defined column labels, and can generally pass the data to them and have it plotted so that each column aligns to the label.
However, the search that generates the data may not always return any series data for some of the columns - for example:-
Col ColA ColB ColC ColD
B 0 6 0 0
D 0 0 0 3
In this example the chart columns start trying to reformat the column widths - especially, as in the example above, if there is a 'gap' between two populated columns.
I've tried every combination of "useAbsoluteSpacing" etc I can think of and cannot seem to get consistent plotting. From what I can think, I may have two options to try and get this to work:-
- Is there a way to force a column chart to plot consistently even if there is no series data for some of the expected columns
- Is there a way to create 'null\empty' column fields in my search, and if so would passing this populated with zeros force the consistent format.
E.g if the following search returns the results shown above, can I 'fake' results for A and C
... | chart
count(eval(match(Metric,"A"))) AS "ColA",
count(eval(match(Metric,"B"))) AS "ColB",
count(eval(match(Metric,"C"))) AS "ColC",
count(eval(match(Metric,"D"))) AS "ColD"
by Metric
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Update.
I've tried playing with Append and AppendCols and I can get what I want, but now have hit a new issue.
If I use an append command at the end of my search this genrates a 'C' row and adds a 0 to 'ColC':-
SEARCH COMMAND WITH CHARTING | append [|stats count AS "ColC" | eval Metric="C"]
This is exactly what I want, as when I plot the graph it has now properly spaces the columns 🙂
However, if there already is a row 'C' in my results, it generates a duplicate row 'C' and corrupts the graph completely 😞
Conversely, if I use "appendcols" instead, it doesn't generate the duplicate row, but doesn't create one if it's missing in the first place.
I'm now into some sort of conditional check to try and switch between append and appendcols depending on whether the results already have a 'ColC' value and am stuck. My search is also about 100x more complex than it needs to be, and I get the feeling I'm missing a simple option somewhere!
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Announcing Modern Navigation: A New Era of Splunk User Experience
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
