I'm trying to fill in the gaps in a set of data, where there are different gaps for each of the types.
... | appendpipe [ stats FIRST(device_id) AS device_id BY day, device_type | map maxsearches=20 search="where device_type=\"$device_type$\" | makecontinuous day span=1 | where ISNULL(device_type) | eval device_type=\"$device_type$\", device_id=\"$device_id$\" " ] ...
But I get no results from that. I've tried multiple variants of this, with & without quotes, with & without the
wheres. All give me nothing ...
makecontinuous on its own does create the missing entries, but without the relevant device_type values, and without multiple events (one for each missing type) on each day.
Any advice / comment / better way of doing this?
are you using
chart before the
if you have duplicate
makecontinuous will not work.
can you try (edit chart syntax to fit your needs)
|chart count(device_id) as devices by day device_type |makecontinuous day |fillnull value=0
Thanks. I was aware of that deficiency in
makecontinuous and trying to avoid it. I can make it work by adding multiple
makecontinuous, one for each device_type, but that needs editing every time that list of device types changes. e.g.
| appendpipe [ where device_type=1 | makecontinuous day | where ISNULL(device_type) | eval device_type=1 ] | appendpipe [ where device_type=2 | makecontinuous day | where ISNULL(device_type) | eval device_type=2 ] elc ...
What I'm trying to do is fill in the gaps in the results of the previous search, which summarises log entries. On some days, for some device types, there are no entries so there are gaps ... and I'd like those filled in, for each device type.
I'm not sure what you believe your code is supposed to do.
The first thing I would try is to put a pipe before
The second thing would be to turn the search from the
map search= into a valid search, by at the very least starting it with the keyword
Before I did any of that, though, I would describe here in plain English what you are trying to achieve and see whether or not the community is able to give you the desired syntax.
The code is intended to fill in gaps in the results from the previous search. That produces results by day and device_type, but not all days have results for all device types.
The gaps make some graphs and subsequent analyses perform strangely.
a search that summarises log entries by day and device_type, giving active and concurrent active, along with concurrent registrations (credential validity is renewed daily and are valid 7 days from last use).