- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- timechart: fill values in empty slots
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Assuming I have the following log entries
2014-11-01 foo=bar
2014-11-02 foo=bax
With the search | timechart span=1d count only the days get plottet where actually an entries exists, but not on that days that have been happening since the last entry and now.
Is there a simple way to fill those gaps?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi zaphod1984,
take a look at this answer to get more details
http://answers.splunk.com/answers/176466/how-to-use-eval-if-there-is-no-result-from-the-bas-1.html
but you can do something like this:
... | stats count AS myCount by foo, _time | timechart span=1d sum(myCount) AS count
this way you would get a 0 for days with no events.
hope this helps ...
cheers, MuS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi zaphod1984,
take a look at this answer to get more details
http://answers.splunk.com/answers/176466/how-to-use-eval-if-there-is-no-result-from-the-bas-1.html
but you can do something like this:
... | stats count AS myCount by foo, _time | timechart span=1d sum(myCount) AS count
this way you would get a 0 for days with no events.
hope this helps ...
cheers, MuS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
that's it, thanks!
i was hoping that there would be some kind of a parameter for timechart...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
any ideas on how to accompilish this when it comes to averages, medians etc. instead of a simple count?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
take a look at the docs http://docs.splunk.com/Documentation/Splunk/6.2.0/SearchReference/CommonStatsFunctions for all available functions for timechart
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi i know the methods that are available but a search like this would not be accurate anymore when using the approach mentioned above: ... | stats p90(foo) AS myP90Foo _time | timechart span=1d p90(myP90Foo) AS p90Foo
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
the stats is only there to create empty event counts not to do any aggregation or such, do all this in your timechart
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
