Solved: How to display all data sets for each time bucket ...

DanielFordWA · ‎12-03-2014

I would like to see the following

_time Data1 Data2
2014-10-01 22 1
2014-10-02 32 8
2014-10-03 46 -
2014-10-04 54 10

However when ever I'm using join / append / appendcols I only get the following. The time bucket with no data for one of the Data sets causes the entire bucket not display.

_time Data1 Data2
2014-10-01 22 1
2014-10-02 32 8
2014-10-04 54 10

I have tried fillnull and other methods but I can't get it to work. It seems quite a straight forward thing to do, I think I am missing something.

Hope you can Help!

musskopf · ‎12-03-2014

I suspect you're using join to combine Data1 and Data2 right? If that's the case, are you using the option type=left?

This option basically tells the join keep events even if there is no match on the subsearch. By default join uses type=inner, which means that only joined events will be kept.

View solution in original post

somesoni2 · ‎12-03-2014

What's the query you're executing?

musskopf · ‎12-03-2014

I suspect you're using join to combine Data1 and Data2 right? If that's the case, are you using the option type=left?

This option basically tells the join keep events even if there is no match on the subsearch. By default join uses type=inner, which means that only joined events will be kept.

DanielFordWA · ‎12-18-2014

Thanks for this. I resolved the issues now.

How to display all data sets for each time bucket combined with join, append or appendcols when data for one data set is missing?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!