Interestingly, to remove empty buckets from timechart
, you negate continuity; the option is cont
.
| timechart cont=FALSE count
The plot is no longer linearly scaled to time if any bucket has been removed, of course. (cont
defaults to TRUE
.)
Thanks it's helped a lot
You can play with the graphical chart settings and set "null values" to "connect".
But if the problem happens with many data points, probably you might want to change the timespan over which buckets are computed.
| timechart span=2h count by host
please look at the makecontinuos command:
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Makecontinuous
<yoursearch> | timechart count by blah | makecontinuos _time
You could append a "| where isnotnull(myDataField)" after the timechart command. But the resulting Graph could become difficult to read because the data points are not allways at the same intervall anymore.
Why not use the graph option to omit null values instead?