Solved: How to set specific options for certain fields in ...

jakethomso · ‎12-16-2019

I am trying to get one of the fields in my timechart to not connect points on null values, whilst still allowing the others to connect.

For example, I would like the outliers field to leave gaps on null values, whilst median and durationMs connect.

I can't seem to find anything online on this, so I was just wondering if it was even possible, maybe by even doing something in the XML like

<option name="charting.chart.nullValueMode">connect</option>
<option name="charting.chart.nullValueMode.outlier">gap</option>

Obviously that doesn't work, but maybe it's on the right track?

EDIT: my durationMs field does have null values, so I cannot just keep the chart setting to gaps

to4kawa · ‎12-16-2019

<form>
  <row>
    <panel>
      <chart>
        <search>
          <query>| makeresults count=2
| streamstats count
| eval _time = if (count==2,relative_time(_time,"-1month@d"), relative_time(_time,"@d"))
| makecontinuous span=1d
| eval count=random() % 21 + 1
| eventstats median(count) as median
| eval outlier=if(count=20,20,NULL)</query>
          <earliest>0</earliest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.abbreviation">none</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.abbreviation">none</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.abbreviation">none</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">line</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">none</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.mode">standard</option>
        <option name="charting.legend.placement">right</option>
        <option name="charting.lineWidth">2</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
      </chart>
    </panel>
  </row>
</form>

Hi, @jakethomso you don't need any options.
my splunk is ver 8.0.1.

View solution in original post

to4kawa · ‎12-16-2019

<form>
  <row>
    <panel>
      <chart>
        <search>
          <query>| makeresults count=2
| streamstats count
| eval _time = if (count==2,relative_time(_time,"-1month@d"), relative_time(_time,"@d"))
| makecontinuous span=1d
| eval count=random() % 21 + 1
| eventstats median(count) as median
| eval outlier=if(count=20,20,NULL)</query>
          <earliest>0</earliest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.abbreviation">none</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.abbreviation">none</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.abbreviation">none</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">line</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">none</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.mode">standard</option>
        <option name="charting.legend.placement">right</option>
        <option name="charting.lineWidth">2</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
      </chart>
    </panel>
  </row>
</form>

Hi, @jakethomso you don't need any options.
my splunk is ver 8.0.1.

jakethomso · ‎12-17-2019

cont=f did the job! Thank you.

jakethomso · ‎12-17-2019

Unfortunately your solution only works as there are no null values in your count, whereas my durationMs field does contain some null values. Therefore I need to use the connect null values option on that field, whilst keeping the outlier field as gaps.

I should have made that more clear, my bad.

to4kawa · ‎12-17-2019

NULL values can be removed by query.

jakethomso · ‎12-17-2019

That is what I have been doing so far, but that also compresses the graph in periods that have less events. Which makes it quite misleading, as the time is no longer consistent throughout.

to4kawa · ‎12-17-2019

| makeresults count=2 
| streamstats count 
| eval _time = if (count==2,relative_time(_time,"-1month@d"), relative_time(_time,"@d")) 
| makecontinuous span=1h _time 
| eval count=random() % 21 + 1 
| eventstats median(count) as median 
| eval outlier=if(count=20,20,NULL) 
| eval flag=random() % 3 
| where flag!=2 
| timechart cont=f values(eval(count)) as count values(outlier) as outlier values(median) as median

If you delete the null value in where and use timechart with cont = f , you will not see any missing values.

How to set specific options for certain fields in a chart

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...