- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Ignore Empty valued bars in Bar Chart
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ignore Empty valued bars in Bar Chart
I have a report which shows top 3 errors by month,error. i am trying to plot this on a bar chart (Not timechart), so the bar chart displays the empty errors fields as blank, which looks very odd.
My result looks like this,
Month ---- Er1 ---------Er2-------Er3--------Er4---------Er5---------Er6
Jan --------- 20 -------- XX ------10 -------- 15 ---------XX------------XX
Feb--------- XX ---------- 14------- 12 --------XX----------15-----------XX
Mar--------- 10 ---------- 14------- XX --------XX----------XX-----------20
So in my bar chart for each month it shows 6 bars (as the total type of errors are 6), but i want to show only the 3 bars with values.
Any option of keeping the bars values in descending order will also work... so that i can keep the bar with ) count to the end...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For those trying to play along at home, use this search for "Last 60 minutes":
index=_*
| rename sourcetype AS Error date_hour AS Date
| stats count AS ErrorCount BY Error Date
| sort Date -ErrorCount
| dedup 3 Date
| chart values(ErrorCount) AS count BY Date Error
Then I select Bar Chart and notice that the ones with no values show blank spots. I believe the ask is to collapse those blank spots, which I do not think is possible with Simple XML. You will have to do a custom visualization or file an Enhancement Request.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you add SPL for this as well? What is your final pipe for building the chart.
Is your zero values actually XX in the data or 0 or have you just mocked it?
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Please find the SPL beow,
search ... | stats count as ErrorCount by Error,Date|sort Date,-count|dedup 5 Date|chart values(ErrorCount ) as count by Date,Error.
Here the XX value is null, not zero, i just mocked here..
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Change your chart command to the following and see if it helps
| chart max(ErrorCount ) as count by Date,Error cont=false
With your existing query with values(ErrorCount), I am assuming there is either only single value per aggregation by Date, Error or no value. So you can add cont=false to drop bins with null or no values. I have changed from values() to max() to avoid multiple value, however depending on your data that might not be required.
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It didn't work 😞 @niketnilay
Splunk Custom Visualizations App End of Life
Introducing Splunk Enterprise 9.2
Adoption of RUM and APM at Splunk
