I have several searches that count the number of results per day, using "stats count by date_mday". My problem is that they don't include days with 0 results, which means I have to do a bit of manipulation after running the search.
Is there any way of forcing it to include a date entry for days with 0 matches?
I was wondering if I could achieve this with timechart and fillnull, but found the documentation (http://www.splunk.com/base/Documentation/4.2.2/SearchReference/Timechart) a bit confusing.
Thanks.
Yes you can
your search | timechart span="1d" count | eval date_mday=strftime(_time, "%d") | fields count date_mday
the timechart does most of what you want but the date_mday is blank for dates with no data so the eval recreates this field and finally the fields command cleans up the result.
Yes you can
your search | timechart span="1d" count | eval date_mday=strftime(_time, "%d") | fields count date_mday
the timechart does most of what you want but the date_mday is blank for dates with no data so the eval recreates this field and finally the fields command cleans up the result.
Thank you very much for your help