So I have this basic search for a line graph visualization:
(search goes here) | timechart count
Let's say I've had 10 events/hour up until 7:00am this morning. Between 7:00-10:00am I've had zero events. When I render the graph, it "stops" at 7:00am. How can I force the graph to include the zero events between 7:00-10:00am? The reason this is important is that I'm trying to get the graph to communicate that the events have stopped... but it looks like they are still on-going since it doesn't include recent hours of zero events. I hope that makes sense.
Thanks for your help!
Try this workaround
your base search | timechart count | appendpipe [|stats count | addinfo | eval _time=info_max_time | table _time] | makecontinuous
You could also try
| timechart count fixedrange=T | fillnull
although fixrange is supposed to be the default.
I just tried this and unfortunately, it produces the same result. Instead, is there a way to force a time range (e.g. last 24 hours) in a graph?
In my opinion, this is almost a bug as this should be a simple/basic thing to do...
Or maybe I shouldn't be using a timechart for what I'm trying t do?
Thanks
Try this workaround
your base search | timechart count | appendpipe [|stats count | addinfo | eval _time=info_max_time | table _time] | makecontinuous
Thanks, the updated answer works! I really appreciate it, I probably would not have figured this out on my own.
Try the updated answer. This ensures that all the missing bins (e.g. last 6 hrs in your search) will have be shown and you'll get more streamlined graph.
I tried this, and while this does get the graph to hit zero, the trend line is still very much compressed -> I've had zero events for this search in the last 6 hours, so while the line goes to zero, there is no continuation/trend of the line for the last 6 hours (it looks like the events just now stopped and went to zero, which is not the case).
Thanks
The visualization for timechart has an option for how to treat "missing" values. The default setting is "gap", which means "if you have no events, don't draw a line".
You want the option called "treat as zero".
I've added my timechart in my original post. You'll see that while it successfully draws a line at zero for previous times, the line ends at 7:20am and doesn't drop down to zero for the previous 3 hours (to 10:30am). It's still dangling high at 100 even though the current value for this event is zero, and has been for the last 3 hours.
Hi, thanks for the reply. I've tried that option and while it works for events between let's say 6:00am yesterday and 7:00am today, it doesn't force the graph to draw a line for the most recent X hours. So right now, even with that option set, my graph stops at 7:00am this morning even though it's 10:30am.