I've stripped some of my query out but I am trying to count the entries from my query from 5 minute buckets.
There may occasionally be no data in these buckets as there were no requests but I want to be able to represent that as a 0 rather than null so that I can then compare that against a previous week.
requests | where success == true | summarize Count = count() by bin(timestamp, 5m) | extend Count = iif(isnull(Count) or Count == 0, 0, Count)
This is returning the following results set
because of my | extend Count = iif(isnull(Count) or Count == 0, 0, Count) I would have expected my results to show all the 5 min buckets between 09:05 and 09:30 but with a count of 0
I can get this to a 0 with a make series but I'm not wanting to make series for graphing as I want to then use this data set to compare to say the week prior to work out any differences
To show
NULLvalues instead of 0. You can use below query,unmatched_datafilters outtimestampsfrom the generated sequence to simulate unmatched data. In thattimestampsmatching the ones in thereal_datatable are excluded from the sequence. TheCountfor these unmatched timestamps is initialized to 0.left outerjoin is used to to ensure all timestamps from the sequence are included, irrespective of the existence of equivalent data in thereal_data.final_datachecks if theCountis null or zero and replaces it with 0 accordingly.Output: