Forum Discussion

Steven_Su's avatar
Steven_Su
Copper Contributor
Mar 06, 2022

Fill zero in the table for timechart

Hi, I would like to create a timechart for high daily number of incident in the past 7-day. However, not everyday has high incident. How could I fill the 0 into the result if that day has no high inc...
Dashboards
KQL
kusto
Clive_Watson's avatar
Clive_Watson
Bronze Contributor
Mar 06, 2022

Steven_Su 

 

Take a look at make-series, something like this example

 

SecurityIncident
| where Severity == "High"
| make-series count(), default=0 on TimeGenerated from ago(7d) to now() step 1d by IncidentNumber
| project TimeGenerated, count_
| render columnchart

 

 




Steven_Su's avatar
Steven_Su
Copper Contributor
Mar 07, 2022

Clive_Watson 

Hi Clive, since there are multiple IncidentNumber generated within a single day, the chart will be like this. How could I just make each day a single bar instead of showing multiple colors of portions? Thank you.

 

 

 

 

  • Clive_Watson's avatar
    Clive_Watson
    Bronze Contributor
    Mar 07, 2022

    Steven_Su 

    SecurityIncident
| where Severity == "High"
| make-series count(), default=0 on TimeGenerated from ago(7d) to now() step 1d // by IncidentNumber
| project TimeGenerated, count_
| render columnchart with (title = "Total Incidents per Day")
    • Steven_Su's avatar
      Steven_Su
      Copper Contributor
      Mar 08, 2022

      Clive_Watson 

      Yes the approach works. But one more question, if the data is 0 in the past 7 day, is it possible to still post the graph instead of showing the message "The query returned no results."? Thanks

Resources