Fill zero in the table for timechart

Question

Hi, I would like to create a timechart for high daily number of incident in the past 7-day. However, not everyday has high incident. How could I fill the 0 into the result if that day has no high incident?&nbsp;I had the similar ticket before:&nbsp;https://techcommunity.microsoft.com/t5/microsoft-sentinel/barchart-when-the-returned-result-is-zero/m-p/3219799#M9144I am not sure if i need to create the dynamic object for the past 7-day.&nbsp;Thanks.SecurityIncident
| where Severity == "High"
| summarize StartTime = startofday(min(TimeGenerated)), count() by Severity, IncidentNumber
| summarize count() by bin(StartTime,1d)&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;

clive_watson · Answer

Steven_Su&nbsp;SecurityIncident
| where Severity == "High"
| make-series count(), default=0 on TimeGenerated from ago(7d) to now() step 1d // by IncidentNumber
| project TimeGenerated, count_
| render columnchart with (title = "Total Incidents per Day")

clive_watson · Answer

Steven_Su&nbsp;&nbsp;Take a look at make-series, something like this example&nbsp;SecurityIncident
| where Severity == "High"
| make-series count(), default=0 on TimeGenerated from ago(7d) to now() step 1d by IncidentNumber
| project TimeGenerated, count_
| render columnchart  &nbsp;&nbsp;

steven_su · Answer

Clive_Watson&nbsp;Hi Clive, since there are multiple IncidentNumber generated within a single day, the chart will be like this. How could I just make each day a single bar instead of showing multiple colors of portions? Thank you.&nbsp;&nbsp;&nbsp;&nbsp;

steven_su · Answer

Clive_Watson&nbsp;Yes the approach works. But one more question, if the data is 0 in the past 7 day, is it possible to still post the graph instead of showing the message "The query returned no results."? Thanks

Forum Discussion

Fill zero in the table for timechart

Share

Resources