Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to display 0 in a timechart table?

jip31
Motivator
‎03-11-2022 01:17 AM

hello

I count results by _time in a table panel like this and it works perfectly

When the results is 0 the result is displayed only once there is a result on the bin _time after

For example, if at 7h, the result is = 0 but at 8h the result is = 1, the results for 7h and 8h are correctly displayed

But as long as the result is 0, nothing is displayed

 

 

index=toto 
| bin span=1h _time  
| stats count as Pb by s _time 
| search Pb >= 3 
| timechart dc(s) as s span=1h 
| where _time < now() 
| eval time = strftime(_time, "%H:%M") 
| stats sum(s) as nbs by time 
| rename time as Heure

 

 

so I tried this for displaying results = 0 but it doesnt works

could you help please?

 

 

| eval nbs =if(isnull(nbs, 0, nbs)

 

 

 

Labels (1)
Labels
0 Karma
Reply

somesoni2
Revered Legend
‎03-15-2022 06:17 AM

Give this a try

index=toto 
| bin span=1h _time  
| stats count as Pb by s _time 
| search Pb >= 3 
| timechart dc(s) as s span=1h 
| where _time < now() 
| eval time = strftime(_time, "%H:%M") 
| stats sum(s) as nbs by time 
| rename time as Heure
| appendpipe [| stats count | where count=0  | eval t=mvrange(0, 24,1) | table t | mvexpand t | eval Heure=substr("0".t,-2) | fields - t| eval nbs=0]
0 Karma
Reply

jip31
Motivator
‎03-15-2022 11:56 PM

it's a little better it misses 2 things

1) the "Heure" format is not good because I need a display in hour minutes (07:00 instead 07)

2) I just need to display result=0 for the Heure corresponding to the system time (if the system time is 07:00 I need to display 0 only fo 7:00 and not 8:00)

thanks

0 Karma
Reply

jip31
Motivator
‎03-14-2022 09:08 PM

Is anybody can help please?

0 Karma
Reply

somesoni2
Revered Legend
‎03-11-2022 12:51 PM

Give this a try

index=toto 
| bin span=1h _time  
| stats count as Pb by s _time 
| search Pb >= 3 
| timechart dc(s) as nbs span=1h 
| eval Heure = strftime(_time, "%H:%M") 
| table Heure nbs | fillnull value=0
0 Karma
Reply

jip31
Motivator
‎03-13-2022 11:16 PM

hi

sorry but any results are displayed 

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎03-11-2022 03:03 AM

You're doing some strange things here 🙂

Firstly, if you're binning to a full hour, why strftime with minutes? 🙂

Secondly, I'm not sure what you're trying to achieve. Especially with that _time condition - it should be part of the base search.

Can you be a bit more specific what is the goal of this search?

0 Karma
Reply

jip31
Motivator
‎03-11-2022 03:44 AM

Hi

Because I need to display minutes after hour...

Like I said, O is displayed in my table only when there is events on a previous time or an anterior time

for example if at 7h00 there is no event I must wait to have events at 8h00 for having a result = 0 at 7h

Or to have events at 6h00 for having a result = 0 at 7h00

So I am looking for a solution in order to be able to display a result = 0 without wainting a time span with events > 0

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎03-11-2022 04:07 AM

OK, you could have just put a static ":00" since your timestamps are aligned to full hour but this way it will also work 🙂

And about my question what you're trying to do I meant what you're trying to get from your search as a whole. Not what particular technical obstacle you're trying to overcome but what is the "high-level" goal of this search. I mean - what type of report you want to get at the end. What is it supposed to show?

0 Karma
Reply

jip31
Motivator
‎03-11-2022 06:34 AM

Like this it's almost working except I ave no time displayed

| appendpipe 
    [ stats count as _events 
    | where _events = 0 
    | eval nbs = 0 ]
0 Karma
Reply

jip31
Motivator
‎03-11-2022 04:53 AM

here is what I display

jip31_0-1647002928554.png

following this example, what I try to explain is that when the nbs field result is 0 I need that the posterior field has a result value in order to display the anterior field which is equal to 0

Imagine that all fields will be equal to 0, it means that there will be any value in my table, just the message "any results"

0 Karma
Reply
Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...
Top