Solved: Display value in chart even if count if zero

treinke · ‎12-15-2014

Looking to do a chart and even if the count of a value is 0 still diplay the name of the value. My search so far is:
sourcetype=app3* (app3_level="Fatal" OR app3_level="Error") | chart count by app3_level,app3_message

I tried to add to the end of the statement but it didn't help.
| fillnull value=0 app3_level

Most of the time there is not a "app3_level=Fatal" but I still want it to show up in the column. Any ideas?

There are no answer without questions

somesoni2 · ‎12-15-2014

Try this

sourcetype=app3* (app3_level="Fatal" OR app3_level="Error") | chart count by app3_level,app3_message  | append [| gentimes start=-1 | eval app3_level="Fatal Error" | table app3_level | makemv app3_level | mvexpand app3_level ] | fillnull value=0 | stats max(*) as * by app3_level,app3_message

View solution in original post

somesoni2 · ‎12-15-2014

Try this

sourcetype=app3* (app3_level="Fatal" OR app3_level="Error") | chart count by app3_level,app3_message  | append [| gentimes start=-1 | eval app3_level="Fatal Error" | table app3_level | makemv app3_level | mvexpand app3_level ] | fillnull value=0 | stats max(*) as * by app3_level,app3_message

Display value in chart even if count if zero

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life