How to remove empty buckets in timechart

cmak · ‎01-25-2013

When I plot a timechart, there are some empty buckets, which causes a gap in my graph.
This happens if I have no data at that time as I have discrete data.
Is there a way to remove these empty buckets from the data?

yuanliu · ‎08-06-2014

Interestingly, to remove empty buckets from timechart, you negate continuity; the option is cont.

| timechart cont=FALSE count

The plot is no longer linearly scaled to time if any bucket has been removed, of course. (cont defaults to TRUE.)

fabiocaldas · ‎05-11-2018

Thanks it's helped a lot

Paolo_Prigione · ‎01-27-2013

You can play with the graphical chart settings and set "null values" to "connect".
But if the problem happens with many data points, probably you might want to change the timespan over which buckets are computed.

| timechart span=2h count by host

RicoSuave · ‎01-27-2013

please look at the makecontinuos command:

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Makecontinuous

<yoursearch> | timechart count by blah | makecontinuos _time

chris · ‎01-26-2013

You could append a "| where isnotnull(myDataField)" after the timechart command. But the resulting Graph could become difficult to read because the data points are not allways at the same intervall anymore.

Ayn · ‎01-26-2013

Why not use the graph option to omit null values instead?

How to remove empty buckets in timechart

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases