Hi
Does anyone know how to get as output of a stats command a table with all values even when the result is null to avoid gaps in the table?
" ..... | stats count by date_mday Priority | xyseries date_mday Priority count | fillnull | sort+date_mday"
If there is no entry for one day , the day is skipped.
BRgds
Loys
Hi loyslegrand,
take this run everywhere example and adapt it to your needs:
index=_internal foo earliest=-30d | timechart span="1d" count | eval date_mday=strftime(_time, "%d") | fields count date_mday
Here the timechart
does most of what you want but the date_mday
is blank for dates with no data. The eval
will recreate this field and finally the fields
command cleans the result.
hope this helps to get you started ...
cheers, MuS
Do not work taimechart?
..... | taimechart span=1d count by Priority
Hi loyslegrand,
take this run everywhere example and adapt it to your needs:
index=_internal foo earliest=-30d | timechart span="1d" count | eval date_mday=strftime(_time, "%d") | fields count date_mday
Here the timechart
does most of what you want but the date_mday
is blank for dates with no data. The eval
will recreate this field and finally the fields
command cleans the result.
hope this helps to get you started ...
cheers, MuS
nice, please mark this as answered by ticking the tick - thx 🙂
Thanks , it works; as I wanted the count by Priority I have entered :
"index=_internal foo earliest=-30d | timechart span="1d" count by Priority | eval date_mday=strftime(_time, "%d")"
the result is a full table including the null values
Loys
Add fillnull
before your stats
command.
... | fillnull date_mday | stats count ...
with fillnull, I have the same result as before
Thanks
Loys