Suport for "show items with no data" as in grouped responses

Comments

4 comments

  • Avatar
    Christian

    hey Steven - could you copy the query here? for charts with a time-based X axis this should actually not be a problem but it sorta depends what comes out the other end of the query. happy to take a look.

     

    chr.

    0
    Comment actions Permalink
  • Avatar
    Steve McMillen

    Sure.  Here it is:

    {code}

    _source="Messaging Application Log" "LeadSpend"

    | parse "Http status code is * and response is * for email * when calling LeadSpend" as http_response, response_val, email nodrop

    | timeslice by 1h

    | count by http_response, _timeslice

    | sort by _timeslice asc, http_response asc

    {code}

    I only see an entry in the grouped output table or the column chart if there is at lest one 500 or 502 - otherwise an entry is not included.  See in the attached file, the output grouped by http response and timeslice by hour does not show an entry when there are no values for that hour.

     

     

    0
    Comment actions Permalink
  • Avatar
    Steve McMillen

    Note: I had to use the nodrop because actual query has other conditions I'm testing for and w/o nodrop I get no results.

    0
    Comment actions Permalink
  • Avatar
    Christian

    add this at the end of the query (and you can remove the sort):

    | transpose row _timeslice column http_response

    this will massage the result set in such a way that charted by a bar, line, or area chart, we detect that the X axis is actually time, and we will render the results accordingly, including "gaps". you can then chose either Stacking: None or Stacking: Normal from the Gear -> Change Properties menu.

    the explanation for why transpose is required is a bit lengthy - maybe it is obvious from looking at the results in the grid view. if not, let me know.

    cheers,

     

    chr.

    0
    Comment actions Permalink

Please sign in to leave a comment.