Forum Discussion
Standard Deviation - Hourly Data - prefill "hours" with no data with "0" alerts?
I have a query which I am running on data for last 24 hours, and summarizing number of alerts by Hour... Essentially the "DateUTCHourOnly" variable can be 0-23 for all the hours of the day. In ou...
Have you looked at make-series rather than summarize? It has a "defaultvalue" you can use for missing data in each hourly bin
https://docs.microsoft.com/en-gb/azure/data-explorer/kusto/query/make-seriesoperator
https://docs.microsoft.com/en-gb/azure/data-explorer/kusto/query/make-seriesoperator
Extremely cool, thanks! here is what I came up with...
| summarize Alerts=count(),max(TimeGenerated) by DateUTCHourOnly
| make-series HourlyData=avg(Alerts) default=0 on DateUTCHourOnly from 0 to 24 step 1
| project series_stats(HourlyData)
| where series_stats_HourlyData_stdev >=1000
Does that look OK? Edit: figured out the nonempty