https://community.splunk.com/t5/Splunk-Search/How-to-create-a-timechart-with-min-max-average-and-count-values/m-p/681224#M232790 <P>I have written this query:</P><P>&nbsp;</P><LI-CODE lang="markup">index=index_name (log.event=res OR (log.event=tracing AND log.operationName=query_name)) | timechart span=1m avg(log.responseTime) as AvgTimeTaken, min(log.responseTime) as MinTimeTaken, max(log.responseTime) as MaxTimeTaken count by log.operationName</LI-CODE><P>&nbsp;</P><P>My results look like this:</P><TABLE border="1" width="66.30812336471703%"><TBODY><TR><TD width="10%" height="47px">_time&nbsp;&nbsp;</TD><TD width="10%" height="47px">AvgTimeTaken: NULL</TD><TD width="10%" height="47px">MaxTimeTaken: NULL</TD><TD width="10%" height="47px">MinTimeTaken: NULL</TD><TD width="10%" height="47px">count:query_name</TD><TD width="10%" height="47px">count: NULL</TD><TD width="10%" height="47px">&nbsp; count:query_name</TD></TR><TR><TD height="25px">2024-03-18 13:00:00</TD><TD height="25px">&nbsp;</TD><TD height="25px">&nbsp;</TD><TD height="25px">&nbsp;</TD><TD height="25px">0</TD><TD height="25px">0</TD><TD height="25px">0</TD></TR></TBODY></TABLE><P>&nbsp;</P><P>I want to understand what the :NULL means, and also how I can get the query to display all values.&nbsp; Secondly, the count is getting displayed for query_name that is similar to the query_name in my query string. I wanted to get an exact match on the query_name. Can someone please help me with this?</P><P>Thanks!</P> Tue, 19 Mar 2024 18:39:35 GMT shasha97 2024-03-19T18:39:35Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-timechart-with-min-max-average-and-count-values/m-p/681224#M232790 <P>I have written this query:</P><P>&nbsp;</P><LI-CODE lang="markup">index=index_name (log.event=res OR (log.event=tracing AND log.operationName=query_name)) | timechart span=1m avg(log.responseTime) as AvgTimeTaken, min(log.responseTime) as MinTimeTaken, max(log.responseTime) as MaxTimeTaken count by log.operationName</LI-CODE><P>&nbsp;</P><P>My results look like this:</P><TABLE border="1" width="66.30812336471703%"><TBODY><TR><TD width="10%" height="47px">_time&nbsp;&nbsp;</TD><TD width="10%" height="47px">AvgTimeTaken: NULL</TD><TD width="10%" height="47px">MaxTimeTaken: NULL</TD><TD width="10%" height="47px">MinTimeTaken: NULL</TD><TD width="10%" height="47px">count:query_name</TD><TD width="10%" height="47px">count: NULL</TD><TD width="10%" height="47px">&nbsp; count:query_name</TD></TR><TR><TD height="25px">2024-03-18 13:00:00</TD><TD height="25px">&nbsp;</TD><TD height="25px">&nbsp;</TD><TD height="25px">&nbsp;</TD><TD height="25px">0</TD><TD height="25px">0</TD><TD height="25px">0</TD></TR></TBODY></TABLE><P>&nbsp;</P><P>I want to understand what the :NULL means, and also how I can get the query to display all values.&nbsp; Secondly, the count is getting displayed for query_name that is similar to the query_name in my query string. I wanted to get an exact match on the query_name. Can someone please help me with this?</P><P>Thanks!</P> Tue, 19 Mar 2024 18:39:35 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-timechart-with-min-max-average-and-count-values/m-p/681224#M232790 shasha97 2024-03-19T18:39:35Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-timechart-with-min-max-average-and-count-values/m-p/681270#M232807 <P>If you specify multiple aggregation functions for timechart by some field, it creates separate data series for each aggregation function and the field value. In the case of :NULL these are stats for events where the field value is empty (I suspect that for log.event=res there is no field log.operation).</P> Tue, 19 Mar 2024 21:43:01 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-timechart-with-min-max-average-and-count-values/m-p/681270#M232807 PickleRick 2024-03-19T21:43:01Z