Splunk Search

How to force graph to include recent "zero" values?

echojacques
Builder

So I have this basic search for a line graph visualization:

(search goes here) | timechart count

Let's say I've had 10 events/hour up until 7:00am this morning. Between 7:00-10:00am I've had zero events. When I render the graph, it "stops" at 7:00am. How can I force the graph to include the zero events between 7:00-10:00am? The reason this is important is that I'm trying to get the graph to communicate that the events have stopped... but it looks like they are still on-going since it doesn't include recent hours of zero events. I hope that makes sense.

Thanks for your help!

alt text

Tags (3)
0 Karma
1 Solution

somesoni2
Revered Legend

Try this workaround

your base search | timechart count | appendpipe [|stats count | addinfo | eval _time=info_max_time | table _time] | makecontinuous

View solution in original post

lguinn2
Legend

You could also try

 | timechart count fixedrange=T | fillnull

although fixrange is supposed to be the default.

0 Karma

echojacques
Builder

I just tried this and unfortunately, it produces the same result. Instead, is there a way to force a time range (e.g. last 24 hours) in a graph?

In my opinion, this is almost a bug as this should be a simple/basic thing to do...

Or maybe I shouldn't be using a timechart for what I'm trying t do?

Thanks

0 Karma

somesoni2
Revered Legend

Try this workaround

your base search | timechart count | appendpipe [|stats count | addinfo | eval _time=info_max_time | table _time] | makecontinuous

echojacques
Builder

Thanks, the updated answer works! I really appreciate it, I probably would not have figured this out on my own.

0 Karma

somesoni2
Revered Legend

Try the updated answer. This ensures that all the missing bins (e.g. last 6 hrs in your search) will have be shown and you'll get more streamlined graph.

0 Karma

echojacques
Builder

I tried this, and while this does get the graph to hit zero, the trend line is still very much compressed -> I've had zero events for this search in the last 6 hours, so while the line goes to zero, there is no continuation/trend of the line for the last 6 hours (it looks like the events just now stopped and went to zero, which is not the case).

Thanks

0 Karma

lguinn2
Legend

The visualization for timechart has an option for how to treat "missing" values. The default setting is "gap", which means "if you have no events, don't draw a line".

You want the option called "treat as zero".

0 Karma

echojacques
Builder

I've added my timechart in my original post. You'll see that while it successfully draws a line at zero for previous times, the line ends at 7:20am and doesn't drop down to zero for the previous 3 hours (to 10:30am). It's still dangling high at 100 even though the current value for this event is zero, and has been for the last 3 hours.

0 Karma

echojacques
Builder

Hi, thanks for the reply. I've tried that option and while it works for events between let's say 6:00am yesterday and 7:00am today, it doesn't force the graph to draw a line for the most recent X hours. So right now, even with that option set, my graph stops at 7:00am this morning even though it's 10:30am.

0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...