Solved: How to make Search Visualization where count=0?

ToddClayton · ‎05-03-2023

Complete novice here, but I was able to get my search result thanks to others who have had questions.

Currently I'm successfully running a search that shows me by hour where count = 0

<<search>>

| timechart span=1h count

| where count=0

I get my date/hour in statistics showing me each hour that's getting a count of 0.

But I'd like to visualize it better. Hit Visualize and it shows me a nice chart with a flatlined Y axis. Of course, because everything is 0.

I can't quite wrap my head around showing this data in a more visually appealing format. Every day there are a couple of "0 count" hours. Maybe something that shows each day and the number of "0 count" hours?

Thanks in advance.

richgalloway · ‎05-03-2023

Try adding | timechart span=1d count to the end of the query. That should give the number of hours with zero counts each day.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎05-03-2023

Try adding | timechart span=1d count to the end of the query. That should give the number of hours with zero counts each day.

---
If this reply helps you, Karma would be appreciated.

ToddClayton · ‎05-03-2023

That helps greatly!

Thank you very much @richgalloway!

How to make Search Visualization where count=0?

chart

stats

Tech Talk Recap | Mastering Threat Hunting

Observability for AI Applications: Troubleshooting Latency

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

Are you a member of the Splunk Community?