I was able to plot a graph that, whilst it shows all the info I need, it also contains massive gaps that make it less appealing.
Is it possible to eliminate those gaps? I'm not concerned about keeping the timeframe consistent.
MY search is as follows:
> index=crypto CurrencyB="CND" OR
> CurrencyS="CND" | timechart
> sum(eval(if(CurrencyB="CND",Buy,Sell
> *-1))) as Total, sum(eval(if(CurrencyB="CND",round(Sell/Buy,8),null)))
> as UnitPrice span=d cont=FALSE |
> streamstats sum(Total) as Gtotal
Hi @ADRIANODL,
Ideally your query should work fine and as expected as you have mentioned cont=false with timechart, but if you are using old version of Splunk then please check Splunk doc of timechart (http://docs.splunk.com/Documentation/Splunk/5.0.6/SearchReference/Timechart) with Splunk version are you using. If not work try another approach below with stats function, if you are sure you want your data month wise (as show in the attached screenshot of question) then following query may help.
index=crypto CurrencyB="CND" OR CurrencyS="CND"
| eval month=date_month." ".date_year
| stats sum(eval(if(CurrencyB="CND",Buy,Sell*-1))) as Total, sum(eval(if(CurrencyB="CND",round(Sell/Buy,8),null))) as UnitPrice by month
| streamstats sum(Total) as Gtotal
Hi ADRIANODL,
I think in my case it is working just by writing cont=false, nothing else is required. Can you tell me which Splunk version are you working on?
Hi Vatsal,
Actually, the data shown refers to days, not months. So at specific days of the year, certain events happened; I just want to show those, without the gaps. I'll try your query and let you know.
