You can use a combination of the fillmissing operator and the sum operator to get the desired "0" value.
Below is a sample query you can refer to:
*| timeslice by 1h
| count by _timeslice
| fillmissing timeslice(1h)
| sum(_count)
| _sum as _count
| fields - _sum
Comments
1 comment
How to achieve the same result ("0" when there are no records), using only count (without timeslice) ?
* ERROR | count
(with a time range of last 1h and no errors I want to have "0", as a number so I can apply color by range)
Please sign in to leave a comment.