Re: Timechart filldown

perrinj2 · ‎09-23-2020

I have a dashboard search which ends with a timechart like this

| eval VUser=if(isnotnull(Stop_time),0,VUser)

| timechart count(VUser) by Protocol

The event with the VUser field is only present for one time interval of the timechart series so I want do the equivalent of a filldown until Stop_time is not null and then reset the VUser count.

Filldown only works when there are nulls. In the above example when there are no values for VUser timechart generates a zero value rather than a null which is why filldown is no good.

What else can I do in this case?

perrinj2 · ‎09-24-2020

Good idea but this only works if I remove the "by Protocol" split which I need

The stats tab shows a series of columns with Protocol values as headings. How can I refer to these fields to try the eval command to change zero to null?

richgalloway · ‎09-24-2020

Try "fudging" it by setting the zero values to nulls so filldown works.

| eval VUser=if(isnotnull(Stop_time),0,VUser)
| timechart count(VUser) as Count by Protocol
| eval Count=if(Count==0, NULL, Count)
| filldown Count

---
If this reply helps you, Karma would be appreciated.

Timechart filldown

timechart

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

Explore the Latest Educational Offerings from Splunk (November Releases)

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...