Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Null/empty data and sparkline

rereeser
Explorer
‎09-17-2012 10:38 AM

Hi, I've got some data that reports the number of users once per day, like:

users=1000

users=1500

users=9001

I'm trying to make a simple sparkline which shows this over the last 90 days. My current search is:

mysearch | chart latest(users) sparkline(avg(users),1d)

This works, but there is a problem: the sparkline displays a value of 0 as the first or last value, depending on when the search is run. It assumes that the value is 0 when the search time range includes part of a day that does not have data. For example, if the search includes the last 2 hours of Tuesday, it will assume a 0, because the data from Tuesday was reported at 4 am.

So, how do I get sparkline to ignore these values, or get the search to not include "partial" days? I've tried usenull=f in the chart command, but it doesn't seem to work for sparklines. I realize that making this a scheduled search would probably work if I get the time ranges just right, but I feel like there is a more elegant way to do it, and I don't want it to break if the reporting frequency changes or moves to a different time.

Thanks in advance

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

rereeser
Explorer
‎09-18-2012 10:36 AM

Nevermind, I found it. I forgot I could use the "snap to time unit" for my time ranges:

earliest=-30d@d

View solution in original post

0 Karma
Reply
Solved! Jump to solution

timmalos
Communicator
‎09-27-2013 02:03 AM

For next ones who would a solution without changing the time unit :

|makemv delim="£" setsv=true YOURSPARKLINEFIELD|eval YOURSPARKLINEFIELD=replace((YOURSPARKLINEFIELD),",0","")|makemv delim="," setsv=true YOURSPARKLINEFIELD

That will delete all 0 values generated by Splunk stats sparkline() function that you dont want to see [Often the first and last value].

Reply
Solved! Jump to solution
Solution

rereeser
Explorer
‎09-18-2012 10:36 AM

Nevermind, I found it. I forgot I could use the "snap to time unit" for my time ranges:

earliest=-30d@d

0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...