I have a report which shows top 3 errors by month,error. i am trying to plot this on a bar chart (Not timechart), so the bar chart displays the empty errors fields as blank, which looks very odd.
My result looks like this,
Month ---- Er1 ---------Er2-------Er3--------Er4---------Er5---------Er6
Jan --------- 20 -------- XX ------10 -------- 15 ---------XX------------XX
Feb--------- XX ---------- 14------- 12 --------XX----------15-----------XX
Mar--------- 10 ---------- 14------- XX --------XX----------XX-----------20
So in my bar chart for each month it shows 6 bars (as the total type of errors are 6), but i want to show only the 3 bars with values.
Any option of keeping the bars values in descending order will also work... so that i can keep the bar with ) count to the end...
For those trying to play along at home, use this search for "Last 60 minutes":
index=_*
| rename sourcetype AS Error date_hour AS Date
| stats count AS ErrorCount BY Error Date
| sort Date -ErrorCount
| dedup 3 Date
| chart values(ErrorCount) AS count BY Date Error
Then I select Bar Chart
and notice that the ones with no values show blank spots. I believe the ask is to collapse those blank spots, which I do not think is possible with Simple XML. You will have to do a custom visualization or file an Enhancement Request.
Can you add SPL for this as well? What is your final pipe for building the chart.
Is your zero values actually XX in the data or 0 or have you just mocked it?
Please find the SPL beow,
search ... | stats count as ErrorCount by Error,Date|sort Date,-count|dedup 5 Date|chart values(ErrorCount ) as count by Date,Error.
Here the XX value is null, not zero, i just mocked here..
Change your chart command to the following and see if it helps
| chart max(ErrorCount ) as count by Date,Error cont=false
With your existing query with values(ErrorCount), I am assuming there is either only single value per aggregation by Date, Error or no value. So you can add cont=false
to drop bins with null or no values. I have changed from values() to max() to avoid multiple value, however depending on your data that might not be required.
It didn't work 😞 @niketnilay