I am trying to get one of the fields in my timechart to not connect points on null values, whilst still allowing the others to connect.
For example, I would like the outliers field to leave gaps on null values, whilst median and durationMs connect.
I can't seem to find anything online on this, so I was just wondering if it was even possible, maybe by even doing something in the XML like
<option name="charting.chart.nullValueMode">connect</option>
<option name="charting.chart.nullValueMode.outlier">gap</option>
Obviously that doesn't work, but maybe it's on the right track?
EDIT: my durationMs field does have null values, so I cannot just keep the chart setting to gaps
<form>
<row>
<panel>
<chart>
<search>
<query>| makeresults count=2
| streamstats count
| eval _time = if (count==2,relative_time(_time,"-1month@d"), relative_time(_time,"@d"))
| makecontinuous span=1d
| eval count=random() % 21 + 1
| eventstats median(count) as median
| eval outlier=if(count=20,20,NULL)</query>
<earliest>0</earliest>
<sampleRatio>1</sampleRatio>
</search>
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisX.abbreviation">none</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.abbreviation">none</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.axisY2.abbreviation">none</option>
<option name="charting.axisY2.enabled">0</option>
<option name="charting.axisY2.scale">inherit</option>
<option name="charting.chart">line</option>
<option name="charting.chart.bubbleMaximumSize">50</option>
<option name="charting.chart.bubbleMinimumSize">10</option>
<option name="charting.chart.bubbleSizeBy">area</option>
<option name="charting.chart.nullValueMode">gaps</option>
<option name="charting.chart.showDataLabels">none</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.chart.style">shiny</option>
<option name="charting.drilldown">none</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
<option name="charting.legend.mode">standard</option>
<option name="charting.legend.placement">right</option>
<option name="charting.lineWidth">2</option>
<option name="trellis.enabled">0</option>
<option name="trellis.scales.shared">1</option>
<option name="trellis.size">medium</option>
</chart>
</panel>
</row>
</form>
Hi, @jakethomso you don't need any options.
my splunk is ver 8.0.1.
<form>
<row>
<panel>
<chart>
<search>
<query>| makeresults count=2
| streamstats count
| eval _time = if (count==2,relative_time(_time,"-1month@d"), relative_time(_time,"@d"))
| makecontinuous span=1d
| eval count=random() % 21 + 1
| eventstats median(count) as median
| eval outlier=if(count=20,20,NULL)</query>
<earliest>0</earliest>
<sampleRatio>1</sampleRatio>
</search>
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisX.abbreviation">none</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.abbreviation">none</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.axisY2.abbreviation">none</option>
<option name="charting.axisY2.enabled">0</option>
<option name="charting.axisY2.scale">inherit</option>
<option name="charting.chart">line</option>
<option name="charting.chart.bubbleMaximumSize">50</option>
<option name="charting.chart.bubbleMinimumSize">10</option>
<option name="charting.chart.bubbleSizeBy">area</option>
<option name="charting.chart.nullValueMode">gaps</option>
<option name="charting.chart.showDataLabels">none</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.chart.style">shiny</option>
<option name="charting.drilldown">none</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
<option name="charting.legend.mode">standard</option>
<option name="charting.legend.placement">right</option>
<option name="charting.lineWidth">2</option>
<option name="trellis.enabled">0</option>
<option name="trellis.scales.shared">1</option>
<option name="trellis.size">medium</option>
</chart>
</panel>
</row>
</form>
Hi, @jakethomso you don't need any options.
my splunk is ver 8.0.1.
cont=f did the job! Thank you.
Unfortunately your solution only works as there are no null values in your count, whereas my durationMs field does contain some null values. Therefore I need to use the connect null values option on that field, whilst keeping the outlier field as gaps.
I should have made that more clear, my bad.
NULL values can be removed by query.
That is what I have been doing so far, but that also compresses the graph in periods that have less events. Which makes it quite misleading, as the time is no longer consistent throughout.
| makeresults count=2
| streamstats count
| eval _time = if (count==2,relative_time(_time,"-1month@d"), relative_time(_time,"@d"))
| makecontinuous span=1h _time
| eval count=random() % 21 + 1
| eventstats median(count) as median
| eval outlier=if(count=20,20,NULL)
| eval flag=random() % 3
| where flag!=2
| timechart cont=f values(eval(count)) as count values(outlier) as outlier values(median) as median
If you delete the null value in where
and use timechart
with cont = f , you will not see any missing values.