Re: replace "0" with "-" in chart count by two fie...

l_ · ‎06-16-2022

I have been trying to make heatmap in Splunk dashboard

i want to replace "0" with "-" in the cell of chart count by two fields when the cell is no data.

How do I accomplish this?

EX)

DATA:

FIELD1,FIELD2,FIELD3

a,A,x

b,B,x

a,B,

| chart count(isnotnull(FIELD3)) AS countA by FIELD2,FIELD1

Relults I want:

a b

A 2 -

B 0 1

Now Relults:

a b

A 2 0

B 0 1

l_ · ‎06-16-2022

For example, I'd like to distinguish

- exist FIELD1,FIELD2 / not exist FIELD3

- not exist FIELD1,FIELD2,FIELD3

ITWhisperer · ‎06-16-2022

| foreach *
  [| eval <<FIELD>>=if(<<FIELD>>==0,"-",<<FIELD>>)]

l_ · ‎06-16-2022

Thank you for your reply.

I tried it, but I'm currently experiencing this errors.

--------------------Failed to parse templatized search for field 'xxx'

for all 35 fields..

What should i do?

ITWhisperer · ‎06-16-2022

OK so your fields aren't called "Field1" or "Field2"?

Try putting the field name placeholders in quotes like this

| foreach *
  [| eval "<<FIELD>>"=if('<<FIELD>>'==0,"-",'<<FIELD>>')]

Note double quotes before the = and single quotes afterwards.

l_ · ‎06-16-2022

>OK so your fields aren't called "Field1" or "Field2"?

Actually, yes.

Thank you so much. I could replace "0" with "-".

Can you distinguish at my example like below

- 0 expression : exist FIELD1,FIELD2 / not exist FIELD3

- 0 expression : not exist FIELD1,FIELD2,FIELD3

replace "0" with "-" in chart count by two fields