Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do you "fillnull" a sparkline field?

neiljpeterson
Communicator
‎03-26-2014 05:52 AM

I have a chart with various counts of errors and corresponding Sparklines.

In this instance the null values are just as important as non-zero values, so I used fillnull to fill the Null count fields with zero.

Unfortunately the sparkline fields are blank which breaks the visual continuity of the chart.

How do I fill a null sparkline field with a flat sparkline?

This is my final search. It replaces the empty fields with a flat sparkline, then renames and reorders the columns.

sourcetype=*application* severity=ERROR           
| chart count sparkline over app by host | rename "sparkline: server1" AS server1, "sparkline: server2" AS server2 
| eval server1= mvjoin(server1, "%%%") | eventstats max(server1) as temp | eval temp = replace(temp, "\d+", "0") | eval server1= coalesce(server1, temp) | makemv delim="%%%" server1| fields - temp 
| eval server2= mvjoin(server2, "%%%") | eventstats max(server2) as temp | eval temp = replace(temp, "\d+", "0") | eval server2= coalesce(server2, temp) | makemv delim="%%%" server2| fields - temp 
| rename app as Application, server1 as "Errors per half hour on server1", server2 as "Errors per half hour on server2", "count: server2" as "Total Errors on server2", "count: server1" as "Total Errors on server1" 
| table Application, "Total Errors on server2" "Errors per half hour on server2" "Total Errors on server1" "Errors per half hour on server1"
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎03-26-2014 10:04 AM

If your sparkline field is called sparkline, you can append this to fill an empty field with a zeroed out sparkline (requires at least one sparkline to exist:

... | eval sparkline = mvjoin(sparkline, "%%%") | eventstats max(sparkline) as temp | eval temp = replace(temp, "\d+", "0") | eval sparkline = coalesce(sparkline, temp) | makemv delim="%%%" sparkline | fields - temp

It's probably best to move that into a macro with the sparkline fieldname as an argument for reusability.

View solution in original post

Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎03-26-2014 10:04 AM

If your sparkline field is called sparkline, you can append this to fill an empty field with a zeroed out sparkline (requires at least one sparkline to exist:

... | eval sparkline = mvjoin(sparkline, "%%%") | eventstats max(sparkline) as temp | eval temp = replace(temp, "\d+", "0") | eval sparkline = coalesce(sparkline, temp) | makemv delim="%%%" sparkline | fields - temp

It's probably best to move that into a macro with the sparkline fieldname as an argument for reusability.

Reply
Solved! Jump to solution

neiljpeterson
Communicator
‎03-31-2014 03:48 PM

This worked!!! I will post my working search as an edit.

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎03-26-2014 11:33 AM

As a first step towards debugging your now-posted search, don't name your fields into something fancy (and including spaces) until the very end. That likely confuses the eval command.

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎03-26-2014 11:31 AM

A little background on how/why this works: A sparkline field is a multivalue field like this:

##__SPARKLINE__##
0
2
1
2
...

The first value is a magic number, and the values after that are the actual sparkline. My pipeline converts that into a string, takes one of the sparklines to get the correct number of data points, replaces all points with zeroes, and copies that over to any sparkline field that was empty. That gets converted back into multivalue fields to be displayed as if nothing ever happened.

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎03-26-2014 11:29 AM

Here's a full work-anywhere sample search:

index=_internal | stats count sparkline(avg(bytes)) as sparkline by sourcetype | append [stats count | eval sourcetype="splunk_fake"] | sort + sourcetype
| eval sparkline = mvjoin(sparkline, "%%%") | eventstats max(sparkline) as temp | eval temp = replace(temp, "\d+", "0") | eval sparkline = coalesce(sparkline, temp) | makemv delim="%%%" sparkline | fields - temp

The first part builds your problem - a category, a count, and a sparkline where one sparkline isn't there. The second line is my sparkline-fillnull-sequence.

0 Karma
Reply
Solved! Jump to solution

neiljpeterson
Communicator
‎03-26-2014 11:25 AM

Woah! Awesome! I can't say I understand all of this, but I get the gist.

When I append this at the end of my search it replaces the actual sparkline fields with the text of the field name. I am clearly doing something wrong. I will post my search in a top level comment.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...