Hi,
I have a chart that is produced by executing a search with a | timechart
command.
As the search is executing, you can see the chart cells appear as shown in the following image:
But once the search above is finished the following gap appears in the chart data:
This search has just over 150000 matching events in total. Is this gap appearing because a search limit is being exceeded? How can I stop this from happening?
Help would be much appreciated. Thanks in advance.
This can be resolved by restructuring the search. Simply add a stats command stage to help the timechart command on it's way. It fixes the issue.
This can be resolved by restructuring the search. Simply add a stats command stage to help the timechart command on it's way. It fixes the issue.
Are you proposing using both stats and timechart?
For example a search like this is showing gaps for me as well (but searches with smaller time windows show the data does exist and can be generated by timechart)
_some_base_search | timechart span=1d perc90(field)