Solved: Null/empty data and sparkline

rereeser · ‎09-17-2012

Hi, I've got some data that reports the number of users once per day, like:

users=1000

users=1500

users=9001

I'm trying to make a simple sparkline which shows this over the last 90 days. My current search is:

mysearch | chart latest(users) sparkline(avg(users),1d)

This works, but there is a problem: the sparkline displays a value of 0 as the first or last value, depending on when the search is run. It assumes that the value is 0 when the search time range includes part of a day that does not have data. For example, if the search includes the last 2 hours of Tuesday, it will assume a 0, because the data from Tuesday was reported at 4 am.

So, how do I get sparkline to ignore these values, or get the search to not include "partial" days? I've tried usenull=f in the chart command, but it doesn't seem to work for sparklines. I realize that making this a scheduled search would probably work if I get the time ranges just right, but I feel like there is a more elegant way to do it, and I don't want it to break if the reporting frequency changes or moves to a different time.

Thanks in advance

rereeser · ‎09-18-2012

Nevermind, I found it. I forgot I could use the "snap to time unit" for my time ranges:

earliest=-30d@d

View solution in original post

timmalos · ‎09-27-2013

For next ones who would a solution without changing the time unit :

|makemv delim="£" setsv=true YOURSPARKLINEFIELD|eval YOURSPARKLINEFIELD=replace((YOURSPARKLINEFIELD),",0","")|makemv delim="," setsv=true YOURSPARKLINEFIELD

That will delete all 0 values generated by Splunk stats sparkline() function that you dont want to see [Often the first and last value].

rereeser · ‎09-18-2012

Nevermind, I found it. I forgot I could use the "snap to time unit" for my time ranges:

earliest=-30d@d

Null/empty data and sparkline

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!