Elastic - Visualizing objects in tables with Zero records

Kibana dashboards in Elastic are highly effective for creating meaningful visualizations to analyze data. However, if a query in the dashboard does not return any records, the dashboard may not display zero values for the visualized data. In some scenarios, it’s essential to represent those zero values in the dashboard for clarity.

For example, consider a dashboard designed to display the number of logs received from firewalls over a specific period, with each unique firewall identified by observer.name. If the Elastic logging system does not receive logs from a particular firewall, you want the dashboard to explicitly show a value of zero for that firewall (observer.name).

The method outlined below demonstrates how to include values in the dashboard so that fields with zero records are displayed with a value of zero in the visualization.

(Credit to VJ and Johnson for this approach.)

Steps in Elastic

Click on [Create Dashboard]

Click on [Create Visualization]

Select [Appropriate Data source] as the Data View

Under [Visualization type], choose Table

Under [search fields], search for [Object with zero records. In this case observer.name]

Drag and drop [observer.name] to the right. Put it under [Rows]

Repeat step 6 & 7, this time search for [Records], then drag and drop it under [Metrics]

Click on [Top 5 value of observer.name] under Rows

Click on [Filters].

Click on [“observer.name” : *].

Remove * and select/type the firewall name.