Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Pie Chart - shows no results found when result is 0

davidlapello
Engager
‎02-19-2019 09:28 AM

I am searching for error differences between data canters over a selected range of time, displaying in a pie chart. I don't want the pie chart to disappear when the result for both dc's is 0(if only one dc is 0, the chart is still correct). The search and chart work for every result except 0.

index=logs "error"
| replace "*1dc" with "dc1" in host
| replace "*2dc" with "dc2" in host
| stats count by host

Thanks for the help.

Update: got the previous gauge issue resolved with: | appendpipe [stats count | eval NoResult="" | where count=0]
Still cant resolve the pie chart issue.

Tags (1)
Reply

niketn
Legend
‎03-01-2019 10:26 PM

@davidlapello, what do you want to show when all hosts have 0 count? A pie slice can not be rendered with 0 value. So you will need to clarify the intent in case all values are zero.

Do you have a lookup or inventory of all hosts that can be pulled in case index does not have host data?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

spavin
Path Finder
‎03-01-2019 04:52 PM

If you would like to show two results, even if the count is zero, then you could try something like:

index=logs "error"
    | replace "*1dc" with "dc1" in host
    | replace "*2dc" with "dc2" in host
    | stats count by host
    | append[makeresults count=2| streamstats count as id| eval host=if(id==1,"dc1","dc2"), count=0] | stats sum(count) as count by host

It's a bit of a hack, but essentially it's making sure that you will have at least 2 rows, with values 'dc1' and 'dc2' for host. It uses your main search results first and only use these fake results as a fall-back.

The only problem is that a pie chart with two zero-value entries looks like a line:

alt text

Preview file
1 KB
0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

REGISTER NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If ...

Observability | Use Synthetic Monitoring for Website Metadata Verification

If you are on Splunk Observability Cloud, you may already have Synthetic Monitoringin your observability ...

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...