Splunk Search

How to display zero value in a chart with multiple fields

yvassilyeva
Path Finder

Hi! 

i am trying to create a search to display zero values in my chart. However my current search has multiple calculated fields ( |stats  sum(count) as Count,  avg(days) as avg_days,  avg(time) as avg_time by category time)

I have this done by creating a dummy search with zero values and then using max command. I would like to only show zero values for the Count. Thank you for your help in advance!

Labels (3)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Please share sample data, the current search, the current results, and a mock-up of the desired results.

---
If this reply helps you, Karma would be appreciated.
0 Karma

yvassilyeva
Path Finder

Thank you for a prompt response. Since the data is confidential i will do a close mock up of the searches:

index=sample sourcetype=sample 
| fields ID TYPE CLASS CATEGORY  COMP_DATE ALS BUSINESS_DAYS 
| eval COMP_DATE = strptime(COMP_DATE , "%Y-%m-%d")

| bin span="1mon@mon" COMP_DATE

| eventstats avg(BUSINESS_DAYS) as AVG_BUS_DAYS, avg(ALS) as Target BY COMP_DATE CATEGORY

| stats count(ID) AS COUNT, values(AVG_BUS_DAYS ) as AVG_BUS_DAYS,  values(Target) as Target BY COMP_DATE CATEGORY

| sort COMP_DATE

| eval COMP_DATE= strftime(COMP_DATE, "%x")

Then I do a column chart and I have a count of 0 for the month of June, and the bar for that month is not displayed in the chart. And I'd like to still show 0 value in the chart. Hope this helps a little bit.

 

 

 

 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

A column of zero height is not visible.  You should, however, be able to format the graph to display values so the empty column will show "0".  All other columns will show numbers, too.

---
If this reply helps you, Karma would be appreciated.
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Zero values have display set to none, so you can use CSS to force it back on. Here is a runanywhere example dashboard

    <panel depends="$stayhidden$">
      <html>
        <style>
          #messagereceivedchart g.highcharts-data-label{
            display: flex !important;
          }
        </style>
      </html>
    </panel>
    <panel>
      <chart id="messagereceivedchart">
        <title>Message received</title>
        <search>
          <query>| makeresults | eval _raw="Messages,Nov_20,Dec_20,Jan_21,Feb_21
Messge 0,0,1,0,0
Messge 1,1,3,1,1
Messge 2,11,0,0,0
Messge 3,1,0,0,0
Messge 4,9,5,0,0
Messge 5,1,1,0,0
Messge 6,1,1,0,0
Messge 7,0,1,0,0"
| multikv forceheader=1
| fields - _raw _time linecount
| fields - _mkv*
| fields Messages *</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="charting.chart">column</option>
        <option name="charting.chart.showDataLabels">all</option>
        <option name="charting.drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>

yvassilyeva
Path Finder

I wanted it to work so much, but it didn't for some reason. Is that specific to all the fields? I have a chart overlay, maybe that is the reason..

 

0 Karma
Get Updates on the Splunk Community!

2024 Splunk Career Impact Survey | Earn a $20 gift card for participating!

Hear ye, hear ye! The time has come again for Splunk's annual Career Impact Survey!  We need your help by ...

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...