Solved: Stacked timechart of accumulative count with missi...

noambz · ‎03-20-2013

Hi,

I have the following search which generates the data below:

some_search | bucket _time span=1h | stats count as total_count by _time gender | streamstats sum(total_count) as acc_count by gender.

time/gender/count/acc_count

2/21/13 9:00:00.000 PM female 1 1

2/21/13 9:00:00.000 PM male 1 1

2/22/13 9:00:00.000 PM female 1 2

2/22/13 9:00:00.000 PM male 1 2

2/22/13 7:00:00.000 PM female 1 3

2/23/13 9:00:00.000 PM male 2 4

2/24/13 9:00:00.000 PM male 1 5

When I chart it with:

| timechart span=1d max(acc_count) by gender

I have a problem on the 23rd and 24th because there are no females and therefore the stacked chart shows nothing.
I am trying to show accumulative values so the chart should show 3 females on the 23rd and 24th like on the 22nd.

Anyone have an idea?

martin_mueller · ‎03-20-2013

As an alternative, you can simplify your search a lot:

some search | timechart span=1d count as total_count by gender | streamstats sum(*) as *

No filldown needed.

View solution in original post

martin_mueller · ‎03-20-2013

As an alternative, you can simplify your search a lot:

some search | timechart span=1d count as total_count by gender | streamstats sum(*) as *

No filldown needed.

noambz · ‎03-20-2013

Great.
Didn't know about that * option.
That did the trick and is much simpler!

noambz · ‎03-20-2013

Struggled with this for many hours but found the answer 20 min after posting....

filldown command did the trick!

Stacked timechart of accumulative count with missing values?

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes