Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

timechart return 0 if no results found

amitdaniel
Explorer
‎04-17-2018 12:12 AM

Hi .
I have a sourcetype = Queue and i'm sending the number of messages waiting in the queue . 

index=monitoring sourcetype=Qeueue Account=azbcd ( QueueName="test123") | timechart max(MessageCount) as MessageCount span=30minute

But if the number of messages = 0 i'm not sending any data to Splunk ( Actually if i'll not find a solution i'll fix my code to send 0 but i want to avoid that )

Look at the picture you can see that when the messageCount=0 i have a "hole" in the graph .
Is there a way to add if condition or something else that will say if we don't have data put 0 ?

alt text

Thanks ,
Amit

Tags (1)
Preview file
54 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

p_gurav
Champion
‎04-17-2018 07:17 AM

You can use Zero option for "Null Values" in Format tab. Refer doc:
https://docs.splunk.com/Documentation/Splunk/7.0.3/Viz/LineAreaCharts#Configuration_options

View solution in original post

Reply
Solved! Jump to solution

TISKAR
Builder
‎04-18-2018 05:32 AM

Hello,
Can you try this please,

index=monitoring sourcetype=Qeueue Account=azbcd ( QueueName="test123") | timechart max(MessageCount) as MessageCount span=30minute | fillnull value=0

Also you can use make continous command:

https://docs.splunk.com/Documentation/Splunk/7.0.3/SearchReference/Makecontinuous

Regards

0 Karma
Reply
Solved! Jump to solution
Solution

p_gurav
Champion
‎04-17-2018 07:17 AM

You can use Zero option for "Null Values" in Format tab. Refer doc:
https://docs.splunk.com/Documentation/Splunk/7.0.3/Viz/LineAreaCharts#Configuration_options

Reply
Solved! Jump to solution

amitdaniel
Explorer
‎04-18-2018 07:15 AM

Thank you !

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎04-18-2018 07:36 AM

The command equivalent for this would be | fillull value=0 to be added after the timechart command.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...