Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Cumulative total "resets" with timechart and streamstats

juraj
Explorer
‎03-19-2013 01:38 AM

Hello,

I can't for the life of me figure out what am I doing wrong here.
I'm trying to keep track of total running transactions, my logfiles are more or less of the following syntax:
timestamp host=$host transaction_count=12345

I am trying to calculate total number of transaction per host. The log entries don't occur regularly, there may be days until a given host has any transaction.

The following:

...| bin _time |stats sum(transaction_count) as transaction_count by host,_time |streamstats sum(transaction_count) as transaction_count by host |timechart last(transaction_count) by host

seems to be more or less working, although why I need the first stats I am not sure. However, due to 1 day span most of my actual table entries are empty, and as such, once I plot the data in a report, it looks very ugly. As the "connect" option sometimes inexplicably drops the values to zero in the multi-series area graph (another slight mystery to me), although it's supposed to be a cumulative value, is there a way to force streamstats to populate those empty spots in my table with the last earlier "known" value? In other words, if I have a value of 100 at timestamp 12:00, and 200 at timestamp 15:00, with span=1h, can I backfill the 13:00 and 14:00 values with 100?

Thanks in advance!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jonuwz
Influencer
‎03-19-2013 11:35 AM

Would filldown suit your needs ?

View solution in original post

0 Karma
Reply
Solved! Jump to solution

juraj
Explorer
‎03-26-2013 07:09 AM

It did indeed, thanks a lot ... I think I tried it before, but now it somehow seems to do exactly what I want. Thanks again!

0 Karma
Reply
Solved! Jump to solution
Solution

jonuwz
Influencer
‎03-19-2013 11:35 AM

Would filldown suit your needs ?

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...