Splunk Search

Ignore Empty valued bars in Bar Chart

harish_ka
Communicator

I have a report which shows top 3 errors by month,error. i am trying to plot this on a bar chart (Not timechart), so the bar chart displays the empty errors fields as blank, which looks very odd.

My result looks like this,

Month ---- Er1 ---------Er2-------Er3--------Er4---------Er5---------Er6

Jan --------- 20 -------- XX ------10 -------- 15 ---------XX------------XX
Feb--------- XX ---------- 14------- 12 --------XX----------15-----------XX
Mar--------- 10 ---------- 14------- XX --------XX----------XX-----------20

So in my bar chart for each month it shows 6 bars (as the total type of errors are 6), but i want to show only the 3 bars with values.
Any option of keeping the bars values in descending order will also work... so that i can keep the bar with ) count to the end...

0 Karma

woodcock
Esteemed Legend

For those trying to play along at home, use this search for "Last 60 minutes":

index=_*
| rename sourcetype AS Error date_hour AS Date
| stats count AS ErrorCount BY Error Date
| sort Date -ErrorCount
| dedup 3 Date
| chart values(ErrorCount) AS count BY Date Error

Then I select Bar Chart and notice that the ones with no values show blank spots. I believe the ask is to collapse those blank spots, which I do not think is possible with Simple XML. You will have to do a custom visualization or file an Enhancement Request.

0 Karma

niketn
Legend

Can you add SPL for this as well? What is your final pipe for building the chart.
Is your zero values actually XX in the data or 0 or have you just mocked it?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

harish_ka
Communicator

Please find the SPL beow,

search ... | stats count as ErrorCount by Error,Date|sort Date,-count|dedup 5 Date|chart values(ErrorCount ) as count by Date,Error.

Here the XX value is null, not zero, i just mocked here..

0 Karma

niketn
Legend

Change your chart command to the following and see if it helps

| chart max(ErrorCount ) as count by Date,Error cont=false

With your existing query with values(ErrorCount), I am assuming there is either only single value per aggregation by Date, Error or no value. So you can add cont=false to drop bins with null or no values. I have changed from values() to max() to avoid multiple value, however depending on your data that might not be required.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

harish_ka
Communicator

It didn't work 😞 @niketnilay

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...