Splunk Search

Use of fillnull displays wrong color in 'single value'

Mike6960
Path Finder

I am using | fillnull totalCount in my search so I get an 0 when there is no result.
The color range I use is from min to 0 is green, from 0 to max is red.
Somehow the '0' is still showing red. Is there any way to change this?

0 Karma
1 Solution

DavidHourani
Super Champion

Hi @Mike6960,

Make sure you have something like this for your colors in xml :

<option name="rangeColors">["0x65a637","0xd93f3c"]</option>
<option name="rangeValues">[0.99]</option>

Also since this makes 0-0.99 green you can use 0.1 instead for fillnull if 0 is still not working : ...|fillnull value=0.1 totalCount or force to zero just in case : ...|fillnull value=0 totalCount

Cheers,
David

View solution in original post

Mike6960
Path Finder

I think I found it, the table count has to be after the brackets

index=captiva
|chart count by message.messageid
| search count < 2
|stats sum(count)| append [ | makeresults | eval count=0 ]| head 1| table count

0 Karma

Mike6960
Path Finder

No, thats also not the solution....

0 Karma

DavidHourani
Super Champion

What does this give you alone when u run it in search ?

  index=captiva 
  | chart count by message.messageid 
  | where count &lt; 2
  | stats sum(count) 
0 Karma

Mike6960
Path Finder

No results found

0 Karma

VatsalJagani
SplunkTrust
SplunkTrust

Hi @Mike6960,

Use |filnull totalCount value=0. Also, make sure color configuration is saved properly to save the dashboard and refresh the browser page. Otherwise, the configuration (min-0 green and 0-max red) works for me. (I'm using Splunk version 7.2) Check XML would look like:

<option name="rangeColors">["0x53a051","0xdc4e41"]</option>
<option name="rangeValues">[0]</option>

Hope this helps!!!

0 Karma

Mike6960
Path Finder

tried your suggestions but it does not work

0 Karma

VatsalJagani
SplunkTrust
SplunkTrust

From the UI edit dashboard and check XML. Also, give me which Splunk verion you are using.

0 Karma

Mike6960
Path Finder

Version 7.0.0
value
block
all
0
["0x65a637","0xd93f3c"]
[1]
progressbar
1
1
0
1
medium
standard
absolute
Niet aangekomen Verint
after
1
1

0 Karma

adonio
Ultra Champion

do from min to 0 green and from 1 to max red

0 Karma

Mike6960
Path Finder

No, that doesn't work either

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...