Splunk Search

How include empty buckets in the start and end of timechart/bin output?

sureshbabu123
New Member

I have a scenario here.

I have data in my local Splunk for time range from 6-Nov-2015 11:45 UTC to 10-Nov-2015 13:45 UTC. I need to get the data count in buckets based on time span of 15 minutes. If I try to search data from 6-Nov-2015 10:30 UTC to 10-Nov-2015 15:30 UTC using timechart, I am getting empty buckets in between the data, but losing the empty buckets at the start/end. And I am getting buckets from 6-Nov-2015 11:45 UTC to 10-Nov-2015 13:45 UTC. Can anyone suggest how to get the empty buckets at the start/end?

My Splunk search is:

(index=my_index msecBefore>=1446805800000 msecBefore<=1447169400000 label="testLabel") | timechart cont=true span=15m count(eval( msecElapsed<72000000)) as Satisfied

Any help would be appreciated.

Regards,
Suresh

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

Add in dummy records for start and end that won't affect the result. i.e, that have msecElapsed greater than your satisfied number. Do this immediately before your timechart command.

| append 
   [|makeresults | eval  msecElapsed=72000001 
    | eval MyFlag=mvappend("DummyStart","DummyEnd") 
    | mvexpand MyFlag ] 
| addinfo 
| eval _time=case(isnull(MyFlag),_time,MyFlag=="DummyStart",info_min_time,MyFlag=="DummyEnd",info_max_time)

The addinfo command has to be outside the brackets, so it pulls its info_min_time and info_max_time from the outside search time range.

seanclark
Engager

Thank you DalJeanis! While this is very much work, for such a simple outcome, it does work!

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

Agreed. It would seem that you should be able to use a combination of the bin start/end options and the continuous flag, but (as I understand it) there are some finnicky things about the order of the bin options and how much option information splunk thinks is enough... and more than that is not allowed.

0 Karma

seanclark
Engager

Hello Suresh,

Did you find a solution for this? I am having the same problem.

Thanks
Sean

0 Karma

seanclark
Engager

Thanks lquinn, but that didn't work.

This is my search

sn_edge_encryption (host="XXXXXXX*") OR (host="XXXXX*") proxy NOT EdgeEncryptionProcessor | timechart span=30s count fixedrange=true

My search window is

34 events (2/8/17 10:20:00.000 AM to 2/8/17 11:36:00.000

But when I go to the visualization tab the chart that comes up starts at my first search result which is 1031. I want the chart on the visualization tab to be the same time range as my search window above.

0 Karma

lguinn2
Legend

You don't need to cont=true in the timechart command. I think that fixedrange=true is the default, but you might add it to be sure...

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...