Query Information
PPL Command/Query:
source=events | timechart span=1m count() by host
Expected Result:
{
"schema": [
{
"name": "@timestamp",
"type": "timestamp"
},
{
"name": "host",
"type": "string"
},
{
"name": "count()",
"type": "bigint"
}
],
"datarows": [
[
"2023-01-01 10:25:00",
"server2",
1
],
[
"2023-01-01 10:35:00",
"server2",
1
],
[
"2023-01-01 10:20:00",
"server1",
1
],
[
"2023-01-01 10:10:00",
"server1",
1
],
[
"2023-01-01 10:15:00",
"server2",
1
],
[
"2023-01-01 10:30:00",
"server1",
1
],
[
"2023-01-01 10:05:00",
"server2",
1
],
[
"2023-01-01 10:00:00",
"server1",
1
]
],
"total": 8,
"size": 8
}Actual Result:
{
"schema": [
{
"name": "@timestamp",
"type": "timestamp"
},
{
"name": "host",
"type": "string"
},
{
"name": "count",
"type": "bigint"
}
],
"datarows": [
[
"2023-01-01 10:00:00",
"server1",
1
],
[
"2023-01-01 10:00:00",
"server2",
0
],
[
"2023-01-01 10:05:00",
"server1",
0
],
[
"2023-01-01 10:05:00",
"server2",
1
],
[
"2023-01-01 10:10:00",
"server1",
1
],
[
"2023-01-01 10:10:00",
"server2",
0
],
[
"2023-01-01 10:15:00",
"server1",
0
],
[
"2023-01-01 10:15:00",
"server2",
1
],
[
"2023-01-01 10:20:00",
"server1",
1
],
[
"2023-01-01 10:20:00",
"server2",
0
],
[
"2023-01-01 10:25:00",
"server1",
0
],
[
"2023-01-01 10:25:00",
"server2",
1
],
[
"2023-01-01 10:30:00",
"server1",
1
],
[
"2023-01-01 10:30:00",
"server2",
0
],
[
"2023-01-01 10:35:00",
"server1",
0
],
[
"2023-01-01 10:35:00",
"server2",
1
]
],
"total": 16,
"size": 16
}Empty buckets are returned. However, according to documents:
Only combinations with actual data are included in the results - empty combinations are omitted rather than showing null or zero values.
However, for other aggregations like max, it does not return empty buckets:
source=events | timechart span=1min max(packets) by host
{
"schema": [
{
"name": "@timestamp",
"type": "timestamp"
},
{
"name": "host",
"type": "string"
},
{
"name": "max(packets)",
"type": "bigint"
}
],
"datarows": [
[
"2023-01-01 10:00:00",
"server1",
60
],
[
"2023-01-01 10:05:00",
"server2",
30
],
[
"2023-01-01 10:10:00",
"server1",
60
],
[
"2023-01-01 10:15:00",
"server2",
30
],
[
"2023-01-01 10:20:00",
"server1",
60
],
[
"2023-01-01 10:25:00",
"server2",
30
],
[
"2023-01-01 10:30:00",
"server1",
180
],
[
"2023-01-01 10:35:00",
"server2",
90
]
],
"total": 8,
"size": 8
}Dataset Information
Dataset/Schema Type
Index Mapping
{
"mappings": {
"properties": {
"@timestamp": {
"type": "date"
},
"host": {
"type": "text"
},
"cpu_usage": {
"type": "double"
},
"region": {
"type": "keyword"
}
}
}
}Sample Data
{"@timestamp":"2023-01-01T10:00:00Z","event_time":"2023-01-01T09:55:00Z","host":"server1","message":"Starting up","level":"INFO","category":"orders","status":"pending","packets":60}Impact:
Users get confused on what to expect from results.
Query Information
PPL Command/Query:
Expected Result:
{ "schema": [ { "name": "@timestamp", "type": "timestamp" }, { "name": "host", "type": "string" }, { "name": "count()", "type": "bigint" } ], "datarows": [ [ "2023-01-01 10:25:00", "server2", 1 ], [ "2023-01-01 10:35:00", "server2", 1 ], [ "2023-01-01 10:20:00", "server1", 1 ], [ "2023-01-01 10:10:00", "server1", 1 ], [ "2023-01-01 10:15:00", "server2", 1 ], [ "2023-01-01 10:30:00", "server1", 1 ], [ "2023-01-01 10:05:00", "server2", 1 ], [ "2023-01-01 10:00:00", "server1", 1 ] ], "total": 8, "size": 8 }Actual Result:
{ "schema": [ { "name": "@timestamp", "type": "timestamp" }, { "name": "host", "type": "string" }, { "name": "count", "type": "bigint" } ], "datarows": [ [ "2023-01-01 10:00:00", "server1", 1 ], [ "2023-01-01 10:00:00", "server2", 0 ], [ "2023-01-01 10:05:00", "server1", 0 ], [ "2023-01-01 10:05:00", "server2", 1 ], [ "2023-01-01 10:10:00", "server1", 1 ], [ "2023-01-01 10:10:00", "server2", 0 ], [ "2023-01-01 10:15:00", "server1", 0 ], [ "2023-01-01 10:15:00", "server2", 1 ], [ "2023-01-01 10:20:00", "server1", 1 ], [ "2023-01-01 10:20:00", "server2", 0 ], [ "2023-01-01 10:25:00", "server1", 0 ], [ "2023-01-01 10:25:00", "server2", 1 ], [ "2023-01-01 10:30:00", "server1", 1 ], [ "2023-01-01 10:30:00", "server2", 0 ], [ "2023-01-01 10:35:00", "server1", 0 ], [ "2023-01-01 10:35:00", "server2", 1 ] ], "total": 16, "size": 16 }Empty buckets are returned. However, according to documents:
However, for other aggregations like max, it does not return empty buckets:
{ "schema": [ { "name": "@timestamp", "type": "timestamp" }, { "name": "host", "type": "string" }, { "name": "max(packets)", "type": "bigint" } ], "datarows": [ [ "2023-01-01 10:00:00", "server1", 60 ], [ "2023-01-01 10:05:00", "server2", 30 ], [ "2023-01-01 10:10:00", "server1", 60 ], [ "2023-01-01 10:15:00", "server2", 30 ], [ "2023-01-01 10:20:00", "server1", 60 ], [ "2023-01-01 10:25:00", "server2", 30 ], [ "2023-01-01 10:30:00", "server1", 180 ], [ "2023-01-01 10:35:00", "server2", 90 ] ], "total": 8, "size": 8 }Dataset Information
Dataset/Schema Type
Index Mapping
{ "mappings": { "properties": { "@timestamp": { "type": "date" }, "host": { "type": "text" }, "cpu_usage": { "type": "double" }, "region": { "type": "keyword" } } } }Sample Data
{"@timestamp":"2023-01-01T10:00:00Z","event_time":"2023-01-01T09:55:00Z","host":"server1","message":"Starting up","level":"INFO","category":"orders","status":"pending","packets":60}Impact:
Users get confused on what to expect from results.