Hi folks,
I'm working on a search to return the number of events by hour over any specified time period. At the moment i've got this on the tail of my search:
... | stats count by date_hour | sort date_hour
I want this search to return the count of events grouped by hour for graphing.
This for the most part works. However if the search returns no events for a given hour, that hour doesn't appear in the resulting table.
Is there a way to modify this to essentially add 0's for the hours with no events? Given stats is only aggregating on fields that exist in the result data and it isn't really a "time" aware function I can't see a solution.
Is there even a better way do do this? This is for a dashboard where I want to graph the busiest time of day across a given time range and want the query flexible enough to just be able to change the time range (7d, last month, last year).
Thanks,
Marcus
... View more