Splunk Search

How to remove empty buckets in timechart

cmak
Contributor

When I plot a timechart, there are some empty buckets, which causes a gap in my graph.
This happens if I have no data at that time as I have discrete data.
Is there a way to remove these empty buckets from the data?

yuanliu
SplunkTrust
SplunkTrust

Interestingly, to remove empty buckets from timechart, you negate continuity; the option is cont.

| timechart cont=FALSE count

The plot is no longer linearly scaled to time if any bucket has been removed, of course. (cont defaults to TRUE.)

fabiocaldas
Contributor

Thanks it's helped a lot

0 Karma

Paolo_Prigione
Builder

You can play with the graphical chart settings and set "null values" to "connect".
But if the problem happens with many data points, probably you might want to change the timespan over which buckets are computed.

| timechart span=2h count by host

RicoSuave
Builder

please look at the makecontinuos command:

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Makecontinuous

<yoursearch> | timechart count by blah | makecontinuos _time
0 Karma

chris
Motivator

You could append a "| where isnotnull(myDataField)" after the timechart command. But the resulting Graph could become difficult to read because the data points are not allways at the same intervall anymore.

0 Karma

Ayn
Legend

Why not use the graph option to omit null values instead?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...