https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-timeseries-chart/m-p/1220468#M7889 <P><SPAN>I'm trying to build a timeseries chart that counts alert volume per day and that fills in zero values for days with no data. I have the following XQL that populates days with data but I'm unable to fill in a zero for all other days between now and the last event.</SPAN></P> <P>&nbsp;</P> <P><SPAN>dataset = alerts | bin _time span = 1D timeshift = 1736879866 timezone = "America/New_York" | comp count() as numEvents by _time</SPAN><BR /><SPAN>| sort asc _time</SPAN><BR /><SPAN>| view graph type = line header = "Accessing bash history file using bash commands" xaxis = _time yaxis = numEvents</SPAN></P> <P>&nbsp;</P> <P><SPAN>How do I do this?</SPAN></P> Fri, 14 Feb 2025 19:15:23 GMT Samuel_Mino 2025-02-14T19:15:23Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-timeseries-chart/m-p/1220468#M7889 <P><SPAN>I'm trying to build a timeseries chart that counts alert volume per day and that fills in zero values for days with no data. I have the following XQL that populates days with data but I'm unable to fill in a zero for all other days between now and the last event.</SPAN></P> <P>&nbsp;</P> <P><SPAN>dataset = alerts | bin _time span = 1D timeshift = 1736879866 timezone = "America/New_York" | comp count() as numEvents by _time</SPAN><BR /><SPAN>| sort asc _time</SPAN><BR /><SPAN>| view graph type = line header = "Accessing bash history file using bash commands" xaxis = _time yaxis = numEvents</SPAN></P> <P>&nbsp;</P> <P><SPAN>How do I do this?</SPAN></P> Fri, 14 Feb 2025 19:15:23 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-timeseries-chart/m-p/1220468#M7889 Samuel_Mino 2025-02-14T19:15:23Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-timeseries-chart/m-p/1220708#M7907 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/742650279">@Samuel_Mino</a>&nbsp;,</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><SPAN>Thanks for reaching out on LiveCommunity!</SPAN></P> <P>&nbsp;</P> <P><SPAN>Below is the sample query for Incidents, please have a look and modify your query as per your requirements:<BR />dataset = incidents | bin _time span = 1h | comp count (incident_id) as event_count by _time | sort asc _time | union ( dataset = xdr_data | filter event_type = ENUM.AGENT_STATUS | bin _time span=30m // Make sure this is smaller than your original time buckets | comp count() as empty_bucket_count by _time | alter empty_bucket_count = 0 ) | bin _time span=1h | comp sum(event_count) as event_count, sum(empty_bucket_count) as empty_bucket_count by _time | alter event_count = coalesce(event_count, empty_bucket_count)<BR /></SPAN></P> <P>&nbsp;</P> <P><SPAN>If you feel this has answered your query, please let us know by clicking on "mark this as a Solution". Thank you.</SPAN></P> Tue, 18 Feb 2025 06:18:40 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-timeseries-chart/m-p/1220708#M7907 aspatil 2025-02-18T06:18:40Z