Solved: Re: How to set specific options for certain fields...

jakethomso · ‎12-16-2019

I am trying to get one of the fields in my timechart to not connect points on null values, whilst still allowing the others to connect.

For example, I would like the outliers field to leave gaps on null values, whilst median and durationMs connect.

I can't seem to find anything online on this, so I was just wondering if it was even possible, maybe by even doing something in the XML like

<option name="charting.chart.nullValueMode">connect</option>
<option name="charting.chart.nullValueMode.outlier">gap</option>

Obviously that doesn't work, but maybe it's on the right track?

EDIT: my durationMs field does have null values, so I cannot just keep the chart setting to gaps

to4kawa · ‎12-16-2019

<form>
  <row>
    <panel>
      <chart>
        <search>
          <query>| makeresults count=2
| streamstats count
| eval _time = if (count==2,relative_time(_time,"-1month@d"), relative_time(_time,"@d"))
| makecontinuous span=1d
| eval count=random() % 21 + 1
| eventstats median(count) as median
| eval outlier=if(count=20,20,NULL)</query>
          <earliest>0</earliest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.abbreviation">none</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.abbreviation">none</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.abbreviation">none</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">line</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">none</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.mode">standard</option>
        <option name="charting.legend.placement">right</option>
        <option name="charting.lineWidth">2</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
      </chart>
    </panel>
  </row>
</form>

Hi, @jakethomso you don't need any options.
my splunk is ver 8.0.1.

View solution in original post

to4kawa · ‎12-16-2019

<form>
  <row>
    <panel>
      <chart>
        <search>
          <query>| makeresults count=2
| streamstats count
| eval _time = if (count==2,relative_time(_time,"-1month@d"), relative_time(_time,"@d"))
| makecontinuous span=1d
| eval count=random() % 21 + 1
| eventstats median(count) as median
| eval outlier=if(count=20,20,NULL)</query>
          <earliest>0</earliest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.abbreviation">none</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.abbreviation">none</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.abbreviation">none</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">line</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">none</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.mode">standard</option>
        <option name="charting.legend.placement">right</option>
        <option name="charting.lineWidth">2</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
      </chart>
    </panel>
  </row>
</form>

Hi, @jakethomso you don't need any options.
my splunk is ver 8.0.1.

jakethomso · ‎12-17-2019

cont=f did the job! Thank you.

jakethomso · ‎12-17-2019

Unfortunately your solution only works as there are no null values in your count, whereas my durationMs field does contain some null values. Therefore I need to use the connect null values option on that field, whilst keeping the outlier field as gaps.

I should have made that more clear, my bad.

to4kawa · ‎12-17-2019

NULL values can be removed by query.

jakethomso · ‎12-17-2019

That is what I have been doing so far, but that also compresses the graph in periods that have less events. Which makes it quite misleading, as the time is no longer consistent throughout.

to4kawa · ‎12-17-2019

| makeresults count=2 
| streamstats count 
| eval _time = if (count==2,relative_time(_time,"-1month@d"), relative_time(_time,"@d")) 
| makecontinuous span=1h _time 
| eval count=random() % 21 + 1 
| eventstats median(count) as median 
| eval outlier=if(count=20,20,NULL) 
| eval flag=random() % 3 
| where flag!=2 
| timechart cont=f values(eval(count)) as count values(outlier) as outlier values(median) as median

If you delete the null value in where and use timechart with cont = f , you will not see any missing values.

How to set specific options for certain fields in a chart

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation