Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Null/empty data and sparkline
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, I've got some data that reports the number of users once per day, like:
users=1000
users=1500
users=9001
I'm trying to make a simple sparkline which shows this over the last 90 days. My current search is:
mysearch | chart latest(users) sparkline(avg(users),1d)
This works, but there is a problem: the sparkline displays a value of 0 as the first or last value, depending on when the search is run. It assumes that the value is 0 when the search time range includes part of a day that does not have data. For example, if the search includes the last 2 hours of Tuesday, it will assume a 0, because the data from Tuesday was reported at 4 am.
So, how do I get sparkline to ignore these values, or get the search to not include "partial" days? I've tried usenull=f in the chart command, but it doesn't seem to work for sparklines. I realize that making this a scheduled search would probably work if I get the time ranges just right, but I feel like there is a more elegant way to do it, and I don't want it to break if the reporting frequency changes or moves to a different time.
Thanks in advance
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Nevermind, I found it. I forgot I could use the "snap to time unit" for my time ranges:
earliest=-30d@d
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For next ones who would a solution without changing the time unit :
|makemv delim="£" setsv=true YOURSPARKLINEFIELD|eval YOURSPARKLINEFIELD=replace((YOURSPARKLINEFIELD),",0","")|makemv delim="," setsv=true YOURSPARKLINEFIELD
That will delete all 0 values generated by Splunk stats sparkline() function that you dont want to see [Often the first and last value].
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Nevermind, I found it. I forgot I could use the "snap to time unit" for my time ranges:
earliest=-30d@d
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Index This | What travels the world but is also stuck in place?
Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data
Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...
