Re: How to display zero value in a chart with mult...

yvassilyeva · ‎07-07-2021

Hi!

i am trying to create a search to display zero values in my chart. However my current search has multiple calculated fields ( |stats sum(count) as Count, avg(days) as avg_days, avg(time) as avg_time by category time)

I have this done by creating a dummy search with zero values and then using max command. I would like to only show zero values for the Count. Thank you for your help in advance!

richgalloway · ‎07-07-2021

Please share sample data, the current search, the current results, and a mock-up of the desired results.

---
If this reply helps you, Karma would be appreciated.

yvassilyeva · ‎07-07-2021

Thank you for a prompt response. Since the data is confidential i will do a close mock up of the searches:

index=sample sourcetype=sample
| fields ID TYPE CLASS CATEGORY COMP_DATE ALS BUSINESS_DAYS
| eval COMP_DATE = strptime(COMP_DATE , "%Y-%m-%d")

| bin span="1mon@mon" COMP_DATE

| eventstats avg(BUSINESS_DAYS) as AVG_BUS_DAYS, avg(ALS) as Target BY COMP_DATE CATEGORY

| stats count(ID) AS COUNT, values(AVG_BUS_DAYS ) as AVG_BUS_DAYS, values(Target) as Target BY COMP_DATE CATEGORY

| sort COMP_DATE

| eval COMP_DATE= strftime(COMP_DATE, "%x")

Then I do a column chart and I have a count of 0 for the month of June, and the bar for that month is not displayed in the chart. And I'd like to still show 0 value in the chart. Hope this helps a little bit.

richgalloway · ‎07-07-2021

A column of zero height is not visible. You should, however, be able to format the graph to display values so the empty column will show "0". All other columns will show numbers, too.

---
If this reply helps you, Karma would be appreciated.

ITWhisperer · ‎07-07-2021

Zero values have display set to none, so you can use CSS to force it back on. Here is a runanywhere example dashboard

    <panel depends="$stayhidden$">
      <html>
        <style>
          #messagereceivedchart g.highcharts-data-label{
            display: flex !important;
          }
        </style>
      </html>
    </panel>
    <panel>
      <chart id="messagereceivedchart">
        <title>Message received</title>
        <search>
          <query>| makeresults | eval _raw="Messages,Nov_20,Dec_20,Jan_21,Feb_21
Messge 0,0,1,0,0
Messge 1,1,3,1,1
Messge 2,11,0,0,0
Messge 3,1,0,0,0
Messge 4,9,5,0,0
Messge 5,1,1,0,0
Messge 6,1,1,0,0
Messge 7,0,1,0,0"
| multikv forceheader=1
| fields - _raw _time linecount
| fields - _mkv*
| fields Messages *</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="charting.chart">column</option>
        <option name="charting.chart.showDataLabels">all</option>
        <option name="charting.drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>

yvassilyeva · ‎07-07-2021

I wanted it to work so much, but it didn't for some reason. Is that specific to all the fields? I have a chart overlay, maybe that is the reason..

How to display zero value in a chart with multiple fields

chart

count

stats

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms