topic Re: timechart is continous - cannot ignore the timeframe of missing events. in Splunk Search

timechart is continous - cannot ignore the timeframe of missing events.

praphulla1 — Wed, 31 Jul 2019 21:07:00 GMT

one of our dashboards were using below query
| timechart count span=1d cont=false

in 6.6.4 Splunk enterprise, we could see that it can ignore time-frame for missing data when we use cont=false. In 7.2.6
splunk, the results are different, chart shows the timeframe for missing data.

Attached are screenshots for both splunk versions. I can achieve the expected behavior using stats over one of the field, but i will not be able to use the annotations feature of 7.x. Can you help with this issue to show graph non-continuously and ignore the data for missing timeframe.

If you would like to replicate. use below query along with attached lookup file.

 | inputlookup FDE_incidents_mec.csv 
 | sort 0 by time_epoch desc 
 | addinfo 
 | where created_time > info_min_time AND created_time < info_max_time OR info_max_time="+Infinity" 
 | stats count by created_time 
 | sort created_time 
 | eval created_time= strftime(created_time,"%d-%b-%y")

Screenshots - https://imgur.com/a/1PX3S5s

Re: timechart is continous - cannot ignore the timeframe of missing events.

Sukisen1981 — Thu, 01 Aug 2019 17:33:40 GMT

screenshot?

Re: timechart is continous - cannot ignore the timeframe of missing events.

praphulla1 — Thu, 01 Aug 2019 18:12:22 GMT

https://imgur.com/a/1PX3S5s

Re: timechart is continous - cannot ignore the timeframe of missing events.

woodcock — Thu, 01 Aug 2019 19:34:57 GMT

You can either add this to the bottom:

... | where count>0

Or this:

... | eval count=if(count>0, count, null())

Lastly, you need to decide how to visualize the holes so click on the format tool, select the General tab and try the different options for Null values

Re: timechart is continous - cannot ignore the timeframe of missing events.

praphulla1 — Thu, 01 Aug 2019 19:41:07 GMT

the output of my query doesn't contain any events with =0. Let me try the options in format tool and get back to you.

Re: timechart is continous - cannot ignore the timeframe of missing events.

woodcock — Thu, 01 Aug 2019 19:59:03 GMT

If there are no values with 0 then what in the world are you talking about?

Re: timechart is continous - cannot ignore the timeframe of missing events.

woodcock — Thu, 01 Aug 2019 20:01:28 GMT

If you would just like to drop the most-recent time-window which may be partial because of event latency, you can just add this to your search:

... | reverse | streamstats count AS _order | where _order = 1 | reverse | fields - _order

Re: timechart is continous - cannot ignore the timeframe of missing events.

praphulla1 — Thu, 01 Aug 2019 22:30:18 GMT

Did you see the pictures i posted. if you compare the graph you can see that in 7.x it plots the 0 on time-chart making it look continuous(day 1, 2, 3,4,5,6,7,8,9) vs 6.x where it is non-continuous (day 1,2,5,8,9). Assume day 3,4,6,7 are 0.

Re: timechart is continous - cannot ignore the timeframe of missing events.

woodcock — Sun, 04 Aug 2019 18:54:03 GMT

The problem is probably that Splunk has changed the defualt for the Null values setting in the Format area of the timechart. The possible values are Gaps, Zero, and Connect. It looks like in one is using Zero and the other is using Connect. Try the other values for this setting.