cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

How to have a time chart show zero for missing/null data.

Deleted
Not applicable

‎Nov 06 2017 07:30 AM - last edited on ‎Nov 09 2023 11:10 AM by

‎Nov 06 2017 07:30 AM - last edited on ‎Nov 09 2023 11:10 AM by

How to have a time chart show zero for missing/null data.

Hi,

 

I have a data set that when I use the summarize/bin over a 1 min interval has gaps in the data (hours) and when the timechart renders the graph the line goes directly from the last value in one set to the first value in the next set (so it looks like there is some data there). 

Is there a way to have the summarize/bin function or the timechart to use zero (or some default value) for the buckets that I don't have data for?

 

-thanks

29.5K Views
0 Likes
6 Replies
Reply
6 Replies
best response
Evgeny Ternovsky

‎Nov 07 2017 02:37 AM

‎Nov 07 2017 02:37 AM

Solution

Re: How to have a time chart show zero for missing/null data.

Hi,

 

Please check out the make-series function to achieve this. For example, instead of saying:

Heartbeat
| where TimeGenerated > ago(1d)
| summarize count() by Computer, bin(TimeGenerated, 1h)
 

You can say:

Heartbeat
| make-series count() default=0 on TimeGenerated in range(ago(1d), now(), 1h) by Computer
 
The output is a bit different for make-series (you get an array for datetimes and an array for the count for each computer rather than a row combination for each), so if you want the data in the same format that summarize produces, you can do so via mvexpand:
Heartbeat
| make-series count() default=0 on TimeGenerated in range(ago(1d), now(), 1h) by Computer
| mvexpand count_, TimeGenerated
3 Likes
Reply
Burton Johnsey

‎Feb 21 2018 10:07 AM

‎Feb 21 2018 10:07 AM

Re: How to have a time chart show zero for missing/null data.

make-series with mvexpand doesn't work in a predictable way for me.

 

Take for example:

Perf
| where CounterName == "Thread Count" 
| where InstanceName == "AgentService"
| make-series avg(CounterValue) on TimeGenerated in range(ago(1d), now(), 30m) by Computer
| mvexpand TimeGenerated , avg_CounterValue 
| project TimeGenerated=todatetime(TimeGenerated)-8h, Computer, Hits = toint(avg_CounterValue)

 

It will return 0 for all days when it should return 6.

 

If I run just up to the make-series part and examine one of the Computer series, the data looks partially correct. The last 24 hours for a given computer show 6, everything else is 0.

 

If I reduce the range from 7d to 1d, the data looks correct.

 

Is there something wrong with my query? Is there some limitation or bug I am running into?

0 Likes
Reply
Evgeny Ternovsky

‎Feb 21 2018 10:29 AM

‎Feb 21 2018 10:29 AM

Re: How to have a time chart show zero for missing/null data.

Without seeing actual data, a couple of possibilities come to mind that might affect this:

  • mvexpand has a default length limit of 128 rows that can be overridden (details in docs). 
  • the range limits specified in make-series do not today override the timepicker next to the run button. It's possible that the time picker is set to a shorter time range than that in your make-series, resulting in missing data. A guaranteed way to verify this is by parameterizing your range:
    let span = 7d;
Perf
| where TimeGenerated > ago(span)
| where CounterName == "% Processor Time" 
| make-series avg(CounterValue) on TimeGenerated in range(ago(span), now(), 30m) by Computer
| mvexpand TimeGenerated , avg_CounterValue 
| project TimeGenerated=todatetime(TimeGenerated)-8h, Computer, Hits = toint(avg_CounterValue)
    Adding the extra | where TimeGenerated... clause overrides the time picker.

Please give these two a shot, and if still not working, let me know and we can dig deeper.

1 Like
Reply
Burton Johnsey

‎Feb 21 2018 02:47 PM

‎Feb 21 2018 02:47 PM

Re: How to have a time chart show zero for missing/null data.

You just saved my life! Both issues were at play and now the data looks correct. Thank you so much Evgeny :)

1 Like
Reply
abhijit940

‎Jan 22 2019 06:36 AM

‎Jan 22 2019 06:36 AM

Re: How to have a time chart show zero for missing/null data.

How to make "make-series" work with time range on portal instead of hard coding the value/specifying the relative time range.

range(ago(1d), now(), 1h)

If I change the time range from portal to say last 7 days, how to make it work with "make-series" without editing the query ?
0 Likes
Reply
jwmathe

‎Sep 17 2019 12:39 PM

‎Sep 17 2019 12:39 PM

Re: How to have a time chart show zero for missing/null data.

@Evgeny Ternovsky 

Found this super helpful as well when I was creating a time-series graph of some data that had several days with zero values.  Much appreciated.

0 Likes
Reply
1 best response

Accepted Solutions
best response
Evgeny Ternovsky

‎Nov 07 2017 02:37 AM

‎Nov 07 2017 02:37 AM

Solution

Re: How to have a time chart show zero for missing/null data.

Hi,

 

Please check out the make-series function to achieve this. For example, instead of saying:

Heartbeat
| where TimeGenerated > ago(1d)
| summarize count() by Computer, bin(TimeGenerated, 1h)
 

You can say:

Heartbeat
| make-series count() default=0 on TimeGenerated in range(ago(1d), now(), 1h) by Computer
 
The output is a bit different for make-series (you get an array for datetimes and an array for the count for each computer rather than a row combination for each), so if you want the data in the same format that summarize produces, you can do so via mvexpand:
Heartbeat
| make-series count() default=0 on TimeGenerated in range(ago(1d), now(), 1h) by Computer
| mvexpand count_, TimeGenerated

View solution in original post

3 Likes
Reply