Splunk Search

How do I deal with missing time for multiple sources?

bdumbeck
Engager

I need to report for each minute during a given month for numerous sources. My issue is dealing with missing transactions; exactly what I need to report on. If I use timechart span=1m count, I get the missing entries, but for only one source. If I include all sources I get all the data, but the source is where the count is.

_time...........................................srcA.....srcB
2016-01-01T00:00:00.000-0600.....0........4
2016-01-01T00:01:00.000-0600.....0........1
2016-01-01T00:02:00.000-0600.....0........3
2016-01-01T00:03:00.000-0600.....1........2
.

.

2016-01-31T23:56:00.000-0600.....0........3
2016-01-31T23:57:00.000-0600.....0........2
2016-01-31T23:58:00.000-0600.....0........0
2016-01-31T23:59:00.000-0600.....0........1

When what I want is, i think.....

source...._time................................................Count
srcA........2016-01-01T00:00:00.000-0600........0

srcA........2016-01-01T00:01:00.000-0600........0

srcA........2016-01-01T00:02:00.000-0600........0

srcA........2016-01-01T00:03:00.000-0600........1

.

.

srcA........2016-01-31T23:56:00.000-0600........0

srcA........2016-01-31T23:57:00.000-0600........0

srcA........2016-01-31T23:58:00.000-0600........0

srcA........2016-01-31T23:59:00.000-0600........0

srcB........2016-01-01T00:00:00.000-0600........4
srcB........2016-01-01T00:01:00.000-0600........1
srcB........2016-01-01T00:02:00.000-0600........3
srcB........2016-01-01T00:03:00.000-0600........2
.

.

srcB........2016-01-31T23:56:00.000-0600........3
srcB........2016-01-31T23:57:00.000-0600........2
srcB........2016-01-31T23:58:00.000-0600........0
srcB........2016-01-31T23:59:00.000-0600........3

If I use stats, I get only the counts when an event occurred. I thought I could use a subsearch to produce a template of times and 0 counts to merge with to fill in the missing rows, but the subsearch limit is 10500 rows and there are 44640 minutes in a 31 day month.

Any help is appreciated.

0 Karma
1 Solution

renjith_nair
SplunkTrust
SplunkTrust

Try this

your search |timechart span=1m count by source|untable _time source count|sort source,_time
Happy Splunking!

View solution in original post

renjith_nair
SplunkTrust
SplunkTrust

Try this

your search |timechart span=1m count by source|untable _time source count|sort source,_time
Happy Splunking!
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...