Splunk Search

chart with missing values

xvxt006
Contributor

Hi,

i am charting errors and i see that for some of the days there is no data and i want to fill that date with 0. So i have used this query. I see that i have 0s when there are no actual values. But in the chart, i see actual values on the x axis and date values as the data points. How to flip this so that i see date on the x axis and actual data on the data points..

| gentimes start=06/23/2014 end=07/23/2014 increment=1d | fields starttime | eval Date=strftime(starttime," %m-%d") | eval Errors= 0 | fields 404s,Date | join type=outer Date[search xxxxx | eval Date=strftime(_time," %m-%d") | chart count(uri) as Errors over Date | sort by Date]

Tags (1)
1 Solution

Suda
Communicator

Hello,

Could you try to use "timechart" instead of "chart"?

xxxxxx | timechart span=1d count(uri) AS Errors | eval Date=strftime(_time," %m-%d") | table Date Errors

I believe it would be simple.

I hope it helps you. Thank you.

View solution in original post

Suda
Communicator

Hello,

Could you try to use "timechart" instead of "chart"?

xxxxxx | timechart span=1d count(uri) AS Errors | eval Date=strftime(_time," %m-%d") | table Date Errors

I believe it would be simple.

I hope it helps you. Thank you.

Suda
Communicator

You want to see the chart (historical graph), don't you?
If you stop "timechart" command, you may see the timechart.
Is it an answer which you want?

0 Karma

xvxt006
Contributor

Thank you. i did not know that having table would still show the chart

0 Karma

xvxt006
Contributor

yes you are right. But when i use timechart, i don't get the date format in the way i want (month-day) and also when i chart it, it skips showing some of the dates (even though data points are there)

0 Karma

strive
Influencer

Looks like your use case is: Chart count of errors over date (with span as 1 day) and when there is no data you should show it as 0.
Is there any specific reason to use join?

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...