Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

timechart: fill values in empty slots

zaphod1984
Path Finder
‎11-27-2014 04:43 AM

Assuming I have the following log entries

2014-11-01 foo=bar
2014-11-02 foo=bax

With the search | timechart span=1d count only the days get plottet where actually an entries exists, but not on that days that have been happening since the last entry and now.
Is there a simple way to fill those gaps?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

MuS
Legend
‎11-27-2014 04:50 AM

Hi zaphod1984,

take a look at this answer to get more details
http://answers.splunk.com/answers/176466/how-to-use-eval-if-there-is-no-result-from-the-bas-1.html

but you can do something like this:

... | stats count AS myCount by foo, _time | timechart span=1d sum(myCount) AS count

this way you would get a 0 for days with no events.

hope this helps ...

cheers, MuS

View solution in original post

Reply
Solved! Jump to solution
Solution

MuS
Legend
‎11-27-2014 04:50 AM

Hi zaphod1984,

take a look at this answer to get more details
http://answers.splunk.com/answers/176466/how-to-use-eval-if-there-is-no-result-from-the-bas-1.html

but you can do something like this:

... | stats count AS myCount by foo, _time | timechart span=1d sum(myCount) AS count

this way you would get a 0 for days with no events.

hope this helps ...

cheers, MuS

Reply
Solved! Jump to solution

zaphod1984
Path Finder
‎11-27-2014 05:04 AM

that's it, thanks!
i was hoping that there would be some kind of a parameter for timechart...

0 Karma
Reply
Solved! Jump to solution

zaphod1984
Path Finder
‎11-27-2014 05:13 AM

any ideas on how to accompilish this when it comes to averages, medians etc. instead of a simple count?

0 Karma
Reply
Solved! Jump to solution

MuS
Legend
‎11-27-2014 05:16 AM

take a look at the docs http://docs.splunk.com/Documentation/Splunk/6.2.0/SearchReference/CommonStatsFunctions for all available functions for timechart

0 Karma
Reply
Solved! Jump to solution

zaphod1984
Path Finder
‎11-27-2014 06:50 AM

hi i know the methods that are available but a search like this would not be accurate anymore when using the approach mentioned above: ... | stats p90(foo) AS myP90Foo _time | timechart span=1d p90(myP90Foo) AS p90Foo

0 Karma
Reply
Solved! Jump to solution

MuS
Legend
‎11-27-2014 07:14 AM

the stats is only there to create empty event counts not to do any aggregation or such, do all this in your timechart

0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

REGISTER NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If ...

Observability | Use Synthetic Monitoring for Website Metadata Verification

If you are on Splunk Observability Cloud, you may already have Synthetic Monitoringin your observability ...

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...