https://community.splunk.com/t5/Splunk-Search/Maniupulating-time-to-remove-0-values-from-line-chart/m-p/532405#M150404 <P>Use the timechart command and adjust the span until the zeros disappear.</P><LI-CODE lang="markup">index=myindex | search mysearch | spath response_time | spath input=request_payload output=platform path=client_properties.platform | streamstats avg(response_time) as platform_response_time by platform time_window=10m | timechart span=10m first(platform_response_time) by platform</LI-CODE> Tue, 08 Dec 2020 22:25:56 GMT richgalloway 2020-12-08T22:25:56Z https://community.splunk.com/t5/Splunk-Search/Maniupulating-time-to-remove-0-values-from-line-chart/m-p/532348#M150381 <P>I have a line chart in which I'm trying to monitor response time for a certain network call. I want to see the average response time, over time, by platform in a line chart.</P><P>Input data looks something like this:</P><TABLE border="1" width="38.44905780900671%"><TBODY><TR><TD width="16.666666666666668%">network call #</TD><TD width="16.666666666666668%">response time (ms)</TD><TD width="16.666666666666668%">platform</TD></TR><TR><TD><P>1</P></TD><TD>200</TD><TD>web</TD></TR><TR><TD>2</TD><TD>250</TD><TD>android</TD></TR><TR><TD>3</TD><TD>300</TD><TD>web</TD></TR><TR><TD width="16.666666666666668%">&nbsp;</TD><TD width="16.666666666666668%">140</TD><TD width="16.666666666666668%">ios</TD></TR></TBODY></TABLE><P>&nbsp;</P><P>and my current query looks like this:</P><P>&nbsp;</P><LI-CODE lang="markup">index=myindex | search mysearch | spath response_time | spath input=request_payload output=platform path=client_properties.platform | streamstats avg(response_time) as platform_response_time by platform time_window=10m | chart first(platform_response_time) over _time by platform</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>This is getting my pretty close, but theres something about it that isn't "right" :</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screen Shot 2020-12-08 at 10.21.53 AM.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/12216i15386760AE825613/image-size/medium?v=v2&amp;px=400" role="button" title="Screen Shot 2020-12-08 at 10.21.53 AM.png" alt="Screen Shot 2020-12-08 at 10.21.53 AM.png" /></span></P><P>What can I do to make the line's... better? I don't even know how to phrase this, but there shouldn't be 0 values. The lines shouldn't be jumping up and backdown to 0 at every tick. They should be more "straight". The problem, I think, is that I'm creating a point for each interval of time, and there isn't a request for every platform at every interval.&nbsp;</P><P>Is there a way to group time intervals together in a longer period of time? i.e. there will only be a plot point for the average repsonse time each 5 minute interval? If there are truly 0 requests in 5m from a platform, that should be reflected, but it isn't likely and wouldn't happen so often.</P> Tue, 08 Dec 2020 15:27:01 GMT https://community.splunk.com/t5/Splunk-Search/Maniupulating-time-to-remove-0-values-from-line-chart/m-p/532348#M150381 ericwindmill 2020-12-08T15:27:01Z https://community.splunk.com/t5/Splunk-Search/Maniupulating-time-to-remove-0-values-from-line-chart/m-p/532405#M150404 <P>Use the timechart command and adjust the span until the zeros disappear.</P><LI-CODE lang="markup">index=myindex | search mysearch | spath response_time | spath input=request_payload output=platform path=client_properties.platform | streamstats avg(response_time) as platform_response_time by platform time_window=10m | timechart span=10m first(platform_response_time) by platform</LI-CODE> Tue, 08 Dec 2020 22:25:56 GMT https://community.splunk.com/t5/Splunk-Search/Maniupulating-time-to-remove-0-values-from-line-chart/m-p/532405#M150404 richgalloway 2020-12-08T22:25:56Z