Solved: Re: chart with missing values

xvxt006 · ‎07-23-2014

Hi,

i am charting errors and i see that for some of the days there is no data and i want to fill that date with 0. So i have used this query. I see that i have 0s when there are no actual values. But in the chart, i see actual values on the x axis and date values as the data points. How to flip this so that i see date on the x axis and actual data on the data points..

Suda · ‎07-23-2014

Hello,

Could you try to use "timechart" instead of "chart"?

xxxxxx | timechart span=1d count(uri) AS Errors | eval Date=strftime(_time," %m-%d") | table Date Errors

I believe it would be simple.

I hope it helps you. Thank you.

View solution in original post

Suda · ‎07-23-2014

Hello,

Could you try to use "timechart" instead of "chart"?

xxxxxx | timechart span=1d count(uri) AS Errors | eval Date=strftime(_time," %m-%d") | table Date Errors

I believe it would be simple.

I hope it helps you. Thank you.

Suda · ‎07-23-2014

You want to see the chart (historical graph), don't you?
If you stop "timechart" command, you may see the timechart.
Is it an answer which you want?

xvxt006 · ‎07-23-2014

Thank you. i did not know that having table would still show the chart

xvxt006 · ‎07-23-2014

yes you are right. But when i use timechart, i don't get the date format in the way i want (month-day) and also when i chart it, it skips showing some of the dates (even though data points are there)

strive · ‎07-23-2014

Looks like your use case is: Chart count of errors over date (with span as 1 day) and when there is no data you should show it as 0.
Is there any specific reason to use join?

chart with missing values

Get the T-shirt to Prove You Survived Splunk University Bootcamp

Introducing the Splunk Community Dashboard Challenge!

Wondering How to Build Resiliency in the Cloud?