Timechart Dropping Empty Buckets

werz · ‎11-06-2013

I am trying to create a search that provides me with the predicted average usage of a machine during the course of a month. The data logging this information is in an SQL database, which I query (using the dbconnect app) to gather a set of Date and Duration pairs which describe when the machine was used and for how long.

Here is what my query looks like:

My issue with this query is that timechart does not fill in 0's for my empty buckets, so the daily average is only the average for days when the systems are used which overinflates my estimate.

Is there any way to force timechart to fill in empty days with 0's so I can average over them?

Thanks

mishin · ‎11-05-2015

I think

| timechart cont=FALSE sum(count) by IP

help you

sdaniels · ‎11-06-2013

You'll want to use fillnull.

Replaces null values with a user specified value (default 0). Null values are those missing in a particular result, but present for some other result. If a field-list is provided, fillnull is applied to only fields in the given list (including any fields that does not exist at all). Otherwise, applies to all existing fields.

http://docs.splunk.com/Documentation/Splunk/6.0/SearchReference/Fillnull

linu1988 · ‎11-06-2013

Will this help?

http://answers.splunk.com/answers/74749/fillnull-not-working-on-my-search

Timechart Dropping Empty Buckets

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!