Solved: Re: Gap in chart data

Ant1D · ‎01-11-2012

Hi,

I have a chart that is produced by executing a search with a | timechart command.

As the search is executing, you can see the chart cells appear as shown in the following image:

But once the search above is finished the following gap appears in the chart data:

This search has just over 150000 matching events in total. Is this gap appearing because a search limit is being exceeded? How can I stop this from happening?

Help would be much appreciated. Thanks in advance.

fox · ‎01-12-2012

This can be resolved by restructuring the search. Simply add a stats command stage to help the timechart command on it's way. It fixes the issue.

View solution in original post

fox · ‎01-12-2012

This can be resolved by restructuring the search. Simply add a stats command stage to help the timechart command on it's way. It fixes the issue.

sloshburch · ‎02-27-2014

Are you proposing using both stats and timechart?

For example a search like this is showing gaps for me as well (but searches with smaller time windows show the data does exist and can be generated by timechart)
_some_base_search | timechart span=1d perc90(field)

Gap in chart data

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...