Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to remove empty buckets in timechart

cmak
Contributor
‎01-25-2013 04:43 PM

When I plot a timechart, there are some empty buckets, which causes a gap in my graph.
This happens if I have no data at that time as I have discrete data.
Is there a way to remove these empty buckets from the data?

Reply

yuanliu
SplunkTrust
SplunkTrust
‎08-06-2014 06:14 PM

Interestingly, to remove empty buckets from timechart, you negate continuity; the option is cont.

| timechart cont=FALSE count

The plot is no longer linearly scaled to time if any bucket has been removed, of course. (cont defaults to TRUE.)

Reply

fabiocaldas
Contributor
‎05-11-2018 10:57 AM

Thanks it's helped a lot

0 Karma
Reply

Paolo_Prigione
Builder
‎01-27-2013 04:42 PM

You can play with the graphical chart settings and set "null values" to "connect".
But if the problem happens with many data points, probably you might want to change the timespan over which buckets are computed. 

| timechart span=2h count by host
Reply

RicoSuave
Builder
‎01-27-2013 10:32 AM

please look at the makecontinuos command:

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Makecontinuous

<yoursearch> | timechart count by blah | makecontinuos _time
0 Karma
Reply

chris
Motivator
‎01-26-2013 04:38 AM

You could append a "| where isnotnull(myDataField)" after the timechart command. But the resulting Graph could become difficult to read because the data points are not allways at the same intervall anymore.

0 Karma
Reply

Ayn
Legend
‎01-26-2013 01:34 AM

Why not use the graph option to omit null values instead?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...