I often faced an issue while authoring reports that take a function of the End-Time for the X axis and a Sum(aggregatedEventCount) for the Y Axis.
The issue is that whenever NO results were returned for a End_time function sampling period,this End Time sample will not appear in the report. This is a pure conceptual issue, as neither ArcSight/SQL has to know that I would like to have a 0 if no events occured during a sampling period...
I found a solution to mitigate this issue by using some tips retrieved here and that consist in using a sort of "probe" to be sure that all the sampling periods will be present in the report.
An example of the ouctome is shown on the picture: In the graph without probe, the hours from 22h to 05h are missing in the graph which gives an unaccurate pespective of the event flow. In the graph with a probe, those sample periods are shown.
Attached a .rar wih a package and a document !