I have added timechart and span in my query for dashboard panel (single value visualization). While panel shows trend settings for other panels with similar query, the 2 panels do not get it
If there are no events returned then there is no trend. However, to display "0" instead of "No results found" use appendpipe
.
index=xyz EventCode=4624 OR EventCode=4625 |timechart span=24h count by user
| appendpipe [ stats count | eval user="N/A" | where count==0 ]
Obviously, something is different between the one panel that works and the two that don't. I can't see your screen from here, so you'll have to describe the differences to me before I can help.
Query for the panel that doesn't show trend indicator settings :
index=xyz EventCode=4624 OR EventCode=4625 |timechart span=24h count by user
Query for the panel that shows trend indicator settings:
index=xyz (sourcetype=linux_secure eventtype="sshd_authentication" ) OR (eventtype=wineventlog_security AND EventCode=4625) |timechart span=4h values(src_ip) by user| timechart span=24h count
@richgalloway What I found is if my search doesn't retrieve any events it doesn't show trend settings and says "No result found" while if it shows events , it shows the trend, sparkline,etc. What can we do to fix "No result found" and get indicators for 0 events as well ?