Solved: Stacked timechart of accumulative count with missi...

noambz · ‎03-20-2013

Hi,

I have the following search which generates the data below:

some_search | bucket _time span=1h | stats count as total_count by _time gender | streamstats sum(total_count) as acc_count by gender.

time/gender/count/acc_count

2/21/13 9:00:00.000 PM female 1 1

2/21/13 9:00:00.000 PM male 1 1

2/22/13 9:00:00.000 PM female 1 2

2/22/13 9:00:00.000 PM male 1 2

2/22/13 7:00:00.000 PM female 1 3

2/23/13 9:00:00.000 PM male 2 4

2/24/13 9:00:00.000 PM male 1 5

When I chart it with:

| timechart span=1d max(acc_count) by gender

I have a problem on the 23rd and 24th because there are no females and therefore the stacked chart shows nothing.
I am trying to show accumulative values so the chart should show 3 females on the 23rd and 24th like on the 22nd.

Anyone have an idea?

martin_mueller · ‎03-20-2013

As an alternative, you can simplify your search a lot:

some search | timechart span=1d count as total_count by gender | streamstats sum(*) as *

No filldown needed.

View solution in original post

martin_mueller · ‎03-20-2013

As an alternative, you can simplify your search a lot:

some search | timechart span=1d count as total_count by gender | streamstats sum(*) as *

No filldown needed.

noambz · ‎03-20-2013

Great.
Didn't know about that * option.
That did the trick and is much simpler!

noambz · ‎03-20-2013

Struggled with this for many hours but found the answer 20 min after posting....

filldown command did the trick!

Stacked timechart of accumulative count with missing values?

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor