Solved: Re: Linechart with count 0 shows up as count 1

Bleepie · ‎03-10-2022

Dear Splunk community,

I have the following query:

index="myIndex"
source="*mySource*" 
nameOfLog* 
"ExitCode: 0" 
| stats count by _time

Once a day a event is generated. So either it was generated (count = 1) or it was not (count = 0).

I have a line diagram for the last 30 days that looks like this:

On February 20th there was one event generated. On 23 February there was one event generated. On 21th and 22th of February, no events were generated. Therefore I expect the line to go down in the line chart like so:

------_-------

This is not happening, and I am wondering why. How do I adjust this to show count=0 in the chart aswell? Thanks.

ITWhisperer · ‎03-10-2022

There are no events so nothing is charted - use timechart to generate events with zero counts

| timechart count

View solution in original post

venky1544 · ‎03-10-2022

Hi @Bleepie

did you tried

|timechart span=1d count by _time

ITWhisperer · ‎03-10-2022

There are no events so nothing is charted - use timechart to generate events with zero counts

| timechart count

Why is my linechart with count 0 shows up as count 1?

chart

panel

timechart

Detecting Remote Code Executions With the Splunk Threat Research Team

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

.conf24 | Session Scheduler is Live!!