Solved: How to set specific options for certain fields in ...

jakethomso · ‎12-16-2019

I am trying to get one of the fields in my timechart to not connect points on null values, whilst still allowing the others to connect.

For example, I would like the outliers field to leave gaps on null values, whilst median and durationMs connect.

alt text

I can't seem to find anything online on this, so I was just wondering if it was even possible, maybe by even doing something in the XML like

<option name="charting.chart.nullValueMode">connect</option>
<option name="charting.chart.nullValueMode.outlier">gap</option>

Obviously that doesn't work, but maybe it's on the right track?

EDIT: my durationMs field does have null values, so I cannot just keep the chart setting to gaps

to4kawa · ‎12-16-2019

<form>
  <row>
    <panel>
      <chart>
        <search>
          <query>| makeresults count=2
| streamstats count
| eval _time = if (count==2,relative_time(_time,"-1month@d"), relative_time(_time,"@d"))
| makecontinuous span=1d
| eval count=random() % 21 + 1
| eventstats median(count) as median
| eval outlier=if(count=20,20,NULL)</query>
          <earliest>0</earliest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.abbreviation">none</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.abbreviation">none</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.abbreviation">none</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">line</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">none</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.mode">standard</option>
        <option name="charting.legend.placement">right</option>
        <option name="charting.lineWidth">2</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
      </chart>
    </panel>
  </row>
</form>

search result

Hi, @jakethomso you don't need any options.
my splunk is ver 8.0.1.

View solution in original post

to4kawa · ‎12-16-2019

<form>
  <row>
    <panel>
      <chart>
        <search>
          <query>| makeresults count=2
| streamstats count
| eval _time = if (count==2,relative_time(_time,"-1month@d"), relative_time(_time,"@d"))
| makecontinuous span=1d
| eval count=random() % 21 + 1
| eventstats median(count) as median
| eval outlier=if(count=20,20,NULL)</query>
          <earliest>0</earliest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.abbreviation">none</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.abbreviation">none</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.abbreviation">none</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">line</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">none</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.mode">standard</option>
        <option name="charting.legend.placement">right</option>
        <option name="charting.lineWidth">2</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
      </chart>
    </panel>
  </row>
</form>

search result

Hi, @jakethomso you don't need any options.
my splunk is ver 8.0.1.

jakethomso · ‎12-17-2019

cont=f did the job! Thank you.

jakethomso · ‎12-17-2019

Unfortunately your solution only works as there are no null values in your count, whereas my durationMs field does contain some null values. Therefore I need to use the connect null values option on that field, whilst keeping the outlier field as gaps.

I should have made that more clear, my bad.

to4kawa · ‎12-17-2019

NULL values can be removed by query.

jakethomso · ‎12-17-2019

That is what I have been doing so far, but that also compresses the graph in periods that have less events. Which makes it quite misleading, as the time is no longer consistent throughout.

to4kawa · ‎12-17-2019

| makeresults count=2 
| streamstats count 
| eval _time = if (count==2,relative_time(_time,"-1month@d"), relative_time(_time,"@d")) 
| makecontinuous span=1h _time 
| eval count=random() % 21 + 1 
| eventstats median(count) as median 
| eval outlier=if(count=20,20,NULL) 
| eval flag=random() % 3 
| where flag!=2 
| timechart cont=f values(eval(count)) as count values(outlier) as outlier values(median) as median

If you delete the null value in where and use timechart with cont = f , you will not see any missing values.

How to set specific options for certain fields in a chart

Index This | What did the zero say to the eight?

Splunk Observability Cloud's AI Assistant in Action Series: Onboarding New Hires & ...

Now Playing: Splunk Education Summer Learning Premieres

Are you a member of the Splunk Community?

How to set specific options for certain fields in a chart

Index This | What did the zero say to the eight?

Splunk Observability Cloud's AI Assistant in Action Series: Onboarding New Hires & ...

Now Playing: Splunk Education Summer Learning Premieres