Dashboards & Visualizations

Create pie chart that shows values >=0 also when there are no results!

reschal
Explorer

Hi,
i want to create a pie chart by different values what works well. I have the following problem: the pie chart shall display 0 when there is no event. I created a search that results a dummy value of 0: |appendpipe [stats count | eval NoResult= "0" | where count=0]

My query: index=abc OR index=def Statuscode="12345"|chart count by index||appendpipe [stats count | eval NoResult= "0" | where count=0]

how is it possible to "combine" the search "chart count by index" with the dummy value?

Thanks for your help!

Tags (1)
0 Karma
1 Solution

niketn
Legend

@reschal, appendpipe should add a entry with 0 value which should be visible in your pie chart. If you have more than 10 results and see others slice with one or more results, there is also a chance that Minimum Slice size threshold is being applied. If it is the case you need to change the threshold option to 0 to see the slice with 0 value.

Following is run anywhere search based on Splunk _internal index

        <search>
          <query>index=_internal sourcetype=splunkd
|  stats count by group
|  sort - count
|  head 20
|  appendpipe 
   [|  makeresults
  |  eval group="UnKnown",count=0
  |  table group count]
  | dedup group</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>

Following is the Simple XML Chart Configuration for Setting minimum size threshold charting.chart.sliceCollapsingThreshold:

<option name="charting.chart.sliceCollapsingThreshold">0</option>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma

niketn
Legend

@reschal, appendpipe should add a entry with 0 value which should be visible in your pie chart. If you have more than 10 results and see others slice with one or more results, there is also a chance that Minimum Slice size threshold is being applied. If it is the case you need to change the threshold option to 0 to see the slice with 0 value.

Following is run anywhere search based on Splunk _internal index

        <search>
          <query>index=_internal sourcetype=splunkd
|  stats count by group
|  sort - count
|  head 20
|  appendpipe 
   [|  makeresults
  |  eval group="UnKnown",count=0
  |  table group count]
  | dedup group</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>

Following is the Simple XML Chart Configuration for Setting minimum size threshold charting.chart.sliceCollapsingThreshold:

<option name="charting.chart.sliceCollapsingThreshold">0</option>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

reschal
Explorer

Thx for your support. Your query works but is there any option that my chart only shows the value Unknown(=0) if there is no other event? In case that my search shows some events the "dummy event" shall be removed.

0 Karma

niketn
Legend

Yes you should do a dedup by index in the end i.e. | dedup index.

Since we are appending dummy value/s in the end of the result, if multiple values for same field value remains it will pick up the first (in other words the one from the query result). As you can see I have | dedup group as my final pipe.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...