Solved: Dots/gaps in timechart when using sum(packets) by ...

splunklearner12 · ‎06-26-2019

When I use "(base search) | timechart sum(packets) by destination useother=f usenull=f", I get gaps in my timechart:

When I use a longer time frame of 1 day, I also get gaps:

In another timechart, I have the exact same base search and just "| timechart sum(packets)", and it has no gaps. I found that when I add "by destination" to this one, it also gets the gaps/dots.
As far as I can see on https://docs.splunk.com/Documentation/Splunk/7.3.0/SearchReference/Timechart timechart should convert null values to 0 by default...
Any ideas?

adonio · ‎06-26-2019

under visualization -> click format -> general tab -> click on connect in "Null Value" line

see attached screenshot

View solution in original post

adonio · ‎06-26-2019

under visualization -> click format -> general tab -> click on connect in "Null Value" line

see attached screenshot

splunklearner12 · ‎06-27-2019

Thank you for that simple solution. I found the second option called "Zero" looked nicer though!

Dots/gaps in timechart when using sum(packets) by destination

Observability | How to Think About Instrumentation Overhead (White Paper)

Cloud Platform | Get Resiliency in the Cloud Event (Register Now!)

The Great Resilience Quest: 10th Leaderboard Update