https://community.splunk.com/t5/Splunk-Search/Why-some-of-the-field-values-are-missing-after-stats-and-chart/m-p/347434#M102893 <P>Can you try :</P> <PRE><CODE> | eval eventHour=strftime(_time,"%H") | table eventHour STORAGECYCLEGROUPID DESTINATIONRACKLOCATION AISLE BAY LEVEL | sort STORAGECYCLEGROUPID EVENTTS ASC | autoregress STORAGECYCLEGROUPID as SC | eval SC2=(STORAGECYCLEGROUPID-SC) | eval cyclecheck=if(SC2=="0",0,1) | autoregress BAY as BAY2 | eval baycheck=abs(BAY-BAY2) | autoregress LEVEL as LEVEL2 | eval levelcheck=abs(LEVEL-LEVEL2) | eval stops=if(cyclecheck=1 OR baycheck&gt;1 OR levelcheck&gt;0,1,0) | stats sum(stops) as numberofstop by STORAGECYCLEGROUPID , eventHour | chart count over eventHour by numberofstop | rename 1 as "1 Stop", 2 as "2 Stops", 3 as "3 Stops", 4 as "4 Stops" </CODE></PRE> Wed, 18 Apr 2018 04:02:49 GMT p_gurav 2018-04-18T04:02:49Z https://community.splunk.com/t5/Splunk-Search/Why-some-of-the-field-values-are-missing-after-stats-and-chart/m-p/347433#M102892 <P>Hi Guys,</P> <P>When I run the below query, it only returns the eventHour up to 14 (2pm) when there are events up to eventHour 18 (6pm).<BR /> I tried to add |search eventHour=15,16,17,18 after the |eval eventHour and it returned the stats on those eventHours.</P> <P>What should I do to display the stats on all eventHours? Thank you!</P> <PRE><CODE>---search--- | eval eventHour=strftime(_time,"%H") | table eventHour STORAGECYCLEGROUPID DESTINATIONRACKLOCATION AISLE BAY LEVEL | sort STORAGECYCLEGROUPID EVENTTS ASC | autoregress STORAGECYCLEGROUPID as SC | eval SC2=(STORAGECYCLEGROUPID-SC) | eval cyclecheck=if(SC2=="0",0,1) | autoregress BAY as BAY2 | eval baycheck=abs(BAY-BAY2) | autoregress LEVEL as LEVEL2 | eval levelcheck=abs(LEVEL-LEVEL2) | eval stops=if(cyclecheck=1 OR baycheck&gt;1 OR levelcheck&gt;0,1,0) | stats max(eventHour) as eventHour sum(stops) as numberofstop by STORAGECYCLEGROUPID | chart count over eventHour by numberofstop | rename 1 as "1 Stop", 2 as "2 Stops", 3 as "3 Stops", 4 as "4 Stops" </CODE></PRE> Wed, 18 Apr 2018 03:51:49 GMT https://community.splunk.com/t5/Splunk-Search/Why-some-of-the-field-values-are-missing-after-stats-and-chart/m-p/347433#M102892 auaave 2018-04-18T03:51:49Z https://community.splunk.com/t5/Splunk-Search/Why-some-of-the-field-values-are-missing-after-stats-and-chart/m-p/347434#M102893 <P>Can you try :</P> <PRE><CODE> | eval eventHour=strftime(_time,"%H") | table eventHour STORAGECYCLEGROUPID DESTINATIONRACKLOCATION AISLE BAY LEVEL | sort STORAGECYCLEGROUPID EVENTTS ASC | autoregress STORAGECYCLEGROUPID as SC | eval SC2=(STORAGECYCLEGROUPID-SC) | eval cyclecheck=if(SC2=="0",0,1) | autoregress BAY as BAY2 | eval baycheck=abs(BAY-BAY2) | autoregress LEVEL as LEVEL2 | eval levelcheck=abs(LEVEL-LEVEL2) | eval stops=if(cyclecheck=1 OR baycheck&gt;1 OR levelcheck&gt;0,1,0) | stats sum(stops) as numberofstop by STORAGECYCLEGROUPID , eventHour | chart count over eventHour by numberofstop | rename 1 as "1 Stop", 2 as "2 Stops", 3 as "3 Stops", 4 as "4 Stops" </CODE></PRE> Wed, 18 Apr 2018 04:02:49 GMT https://community.splunk.com/t5/Splunk-Search/Why-some-of-the-field-values-are-missing-after-stats-and-chart/m-p/347434#M102893 p_gurav 2018-04-18T04:02:49Z https://community.splunk.com/t5/Splunk-Search/Why-some-of-the-field-values-are-missing-after-stats-and-chart/m-p/347435#M102894 <P>@p_gurav, thanks for your reply! <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>I tried it but it's still the same. Btw, I am using |stats max(eventHour) because 1 STORAGECYCLEGROUPID can have maximum of 4 events and I want it to look at the max eventHour if incase all events did not occur on the same eventHour.</P> Wed, 18 Apr 2018 04:11:38 GMT https://community.splunk.com/t5/Splunk-Search/Why-some-of-the-field-values-are-missing-after-stats-and-chart/m-p/347435#M102894 auaave 2018-04-18T04:11:38Z