Dashboards & Visualizations

Why are lines not showing up for line graph?

alanxu
Communicator

Hello,
I am trying to put multiple lines on a line graph. However, the lines are not showing up. Here is a picture of the panel.
alt text

The XML for my dashboard is:

 <row>
    <panel>
      <chart>
        <title>Completion Times of Each "Thing"</title>
        <searchString>host=... source = "..." SP Position="Finished" | eval Completion_Time=tonumber(replace(Completion_Time,"(\d+):(\d+):(\d+)","\1.\2")) | timechart limit=100 latest(TIME) as Completion_Time by FinishedName</searchString>
        <earliestTime>$timetoken.earliest$</earliestTime>
        <latestTime>$timetoken.latest$</latestTime>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.enabled">false</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">line</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.placement">right</option>
        <option name="wrap">true</option>
        <option name="rowNumbers">false</option>
        <option name="dataOverlayMode">none</option>
        <option name="list.drilldown">full</option>
        <option name="list.wrap">1</option>
        <option name="maxLines">5</option>
        <option name="raw.drilldown">full</option>
        <option name="table.drilldown">all</option>
        <option name="table.wrap">1</option>
        <option name="type">list</option>
      </chart>
    </panel>
  </row>

Can anyone give insight on this problem?

0 Karma
1 Solution

woodcock
Esteemed Legend

You can only timechart numbers and since your TIME field almost certainly has colons and hyphens, Splunk very rightly does not consider this a number so it refuses-to/cannot graph them on the Y-Axis. If you convert TIME to epoch then it will graph but it will be a really strange graph. Click on your graph to drilldown and the click on the Statistics tab and you will see your non-number timechart data. That is the problem.

View solution in original post

woodcock
Esteemed Legend

You can only timechart numbers and since your TIME field almost certainly has colons and hyphens, Splunk very rightly does not consider this a number so it refuses-to/cannot graph them on the Y-Axis. If you convert TIME to epoch then it will graph but it will be a really strange graph. Click on your graph to drilldown and the click on the Statistics tab and you will see your non-number timechart data. That is the problem.

alanxu
Communicator

Why will it be a strange graph?

0 Karma

alanxu
Communicator

And what I did was have it as a stats table first then I tried to convert it to a graph.. And you are correct TIME has colons.

0 Karma

woodcock
Esteemed Legend

If you use strptime to convert your TIME variable to an epoch (which is a number), then your graph will "work" but, as I mentioned, such a visualization is pretty useless.

alanxu
Communicator

That is true. I think a work around I saw was changing it to a decimal. HH.MM

0 Karma

woodcock
Esteemed Legend

That will work: use strptime to convert to epoch, then use strftime with "%H.%M" to convert to hour-decimal-minute, which will be plottable. Don't forget to click "Accept" to close the question.

alanxu
Communicator

Thanks woodcock will try out now!

0 Karma

woodcock
Esteemed Legend

It will just be a line growing from the lower-left corner to the upper-right corner if you use epoch. Perhaps your TIME field is really a duration field. If so, try swapping out latest(TIME) with latest(tostring(TIME, "duration")) and that is probably what you are trying to do.

alanxu
Communicator

Instead of making it a string should I be trying to make it a number so I can graph it? And the TIME is the TIME of the indexed information. I am in mountain time but Splunk is in GMT so I used TIME to get the mountain time.

0 Karma

sideview
SplunkTrust
SplunkTrust

Since you have a legend there, you do have multiple series values in the data itself. So what's probably happening here is that you have "nullValueMode" set to "gaps", and all of the numerical values have a null value in the time bucket before, and a null value in the timebucket after. nullValueMode actually causes this confusion quite often.

with chartType set to line and nullValueMode set to "gaps", (and showMarkers left to its default setting of False), the charting will draw lines on the graph only between consecutive values. So if a point in a given series has null values in the time buckets immediately before and immediately after, that point will not get drawn at all. You can stumble across it by mousing around in the chart randomly. Needless to say this is a little confusing, so much so that it should probably be considered an error state.

Anyway, try changing nullValueMode to "connect" or to "zero" and see which one you like best. Alternately you can revisit the search language generating your chart and depending on the search language there's most likely another way to get the data such that you have no empty values, or explicit zeros there install of nulls.

Here's another answers post showing the same problem and same solution.
http://answers.splunk.com/answers/31519/gaps-in-line-graph.html

Incidentally, one somewhat common way this can arise, is if the underlying data (be it summary index data, or just plain old raw data) has an underlying granularity that is courser than the granularity of the search language you're using. For example you might be charting a value that only gets written to the logs every 30 minutes but you're using a timechart command with span=10min. Such a chart, with this combination of nullValueMode etc, would never be able to chart a single point.

alanxu
Communicator

I tried connect and zero, however nothing shows up still.

0 Karma

sideview
SplunkTrust
SplunkTrust

Update: Also yes it is crucial that the "TIME" values you're charting are at least vaguely numerical. timechart can be pretty forgiving about noise in there but if TIME doesn't look at all like a number it wont chart anything for latest(TIME)

alanxu
Communicator

Hmm should I change TIME into a number? By removing the colons

0 Karma

alanxu
Communicator

I would like to have completion time on the y axis.

0 Karma

diogofgm
SplunkTrust
SplunkTrust

Do you have a field called TIME? In your search you are showing the latest TIME. If you don't have it, it won't show data.

| timechart limit=100 latest(TIME) as Completion_Time by FinishedName

I don't know much about your data but, taking in consideration the eval i believe you meant to use:

latest(Completion_Time)
------------
Hope I was able to help you. If so, some karma would be appreciated.
0 Karma

alanxu
Communicator

Doing latest(Completion_Time) gives back no results

0 Karma

alanxu
Communicator

Yes I do have a field called TIME

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...