Splunk Search

How to set specific options for certain fields in a chart

jakethomso
Explorer

I am trying to get one of the fields in my timechart to not connect points on null values, whilst still allowing the others to connect.

For example, I would like the outliers field to leave gaps on null values, whilst median and durationMs connect.

alt text

I can't seem to find anything online on this, so I was just wondering if it was even possible, maybe by even doing something in the XML like

<option name="charting.chart.nullValueMode">connect</option>
<option name="charting.chart.nullValueMode.outlier">gap</option>

Obviously that doesn't work, but maybe it's on the right track?

EDIT: my durationMs field does have null values, so I cannot just keep the chart setting to gaps

0 Karma
1 Solution

to4kawa
Ultra Champion
<form>
  <row>
    <panel>
      <chart>
        <search>
          <query>| makeresults count=2
| streamstats count
| eval _time = if (count==2,relative_time(_time,"-1month@d"), relative_time(_time,"@d"))
| makecontinuous span=1d
| eval count=random() % 21 + 1
| eventstats median(count) as median
| eval outlier=if(count=20,20,NULL)</query>
          <earliest>0</earliest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.abbreviation">none</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.abbreviation">none</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.abbreviation">none</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">line</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">none</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.mode">standard</option>
        <option name="charting.legend.placement">right</option>
        <option name="charting.lineWidth">2</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
      </chart>
    </panel>
  </row>
</form>

search result

Hi, @jakethomso you don't need any options.
my splunk is ver 8.0.1.

View solution in original post

0 Karma

to4kawa
Ultra Champion
<form>
  <row>
    <panel>
      <chart>
        <search>
          <query>| makeresults count=2
| streamstats count
| eval _time = if (count==2,relative_time(_time,"-1month@d"), relative_time(_time,"@d"))
| makecontinuous span=1d
| eval count=random() % 21 + 1
| eventstats median(count) as median
| eval outlier=if(count=20,20,NULL)</query>
          <earliest>0</earliest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.abbreviation">none</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.abbreviation">none</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.abbreviation">none</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">line</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">none</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.mode">standard</option>
        <option name="charting.legend.placement">right</option>
        <option name="charting.lineWidth">2</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
      </chart>
    </panel>
  </row>
</form>

search result

Hi, @jakethomso you don't need any options.
my splunk is ver 8.0.1.

0 Karma

jakethomso
Explorer

cont=f did the job! Thank you.

0 Karma

jakethomso
Explorer

Unfortunately your solution only works as there are no null values in your count, whereas my durationMs field does contain some null values. Therefore I need to use the connect null values option on that field, whilst keeping the outlier field as gaps.

I should have made that more clear, my bad.

0 Karma

to4kawa
Ultra Champion

NULL values can be removed by query.

0 Karma

jakethomso
Explorer

That is what I have been doing so far, but that also compresses the graph in periods that have less events. Which makes it quite misleading, as the time is no longer consistent throughout.

0 Karma

to4kawa
Ultra Champion
| makeresults count=2 
| streamstats count 
| eval _time = if (count==2,relative_time(_time,"-1month@d"), relative_time(_time,"@d")) 
| makecontinuous span=1h _time 
| eval count=random() % 21 + 1 
| eventstats median(count) as median 
| eval outlier=if(count=20,20,NULL) 
| eval flag=random() % 3 
| where flag!=2 
| timechart cont=f values(eval(count)) as count values(outlier) as outlier values(median) as median

If you delete the null value in where and use timechart with cont = f , you will not see any missing values.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...