How to write a search to fill in missing data with...

nivek000 · ‎06-09-2016

Suppose a search returns the following data:

_time Key Value
10:30:00 Key1 8
10:30:00 Key2 50
10:31:00 Key2 100
10:35:00 Key1 9
10:36:00 Key2 200

I would like to apply a Splunk command to fill in the missing values (by the minute) with the last seen value. So, the results would look like (filled in results in italics):

_time Key Value
10:30:00 Key1 8
10:30:00 Key2 50
10:31:00 Key1 8 *
10:31:00 Key2 100
*10:32:00 Key1 8 *
*10:32:00 Key2 100 *
*10:33:00 Key1 8 *
*10:33:00 Key2 100 *
*10:34:00 Key1 8 *
*10:34:00 Key2 100 *
10:35:00 Key1 9
*10:35:00 Key2 100 *
*10:36:00 Key1 9
10:36:00 Key2 200

Note that I can achieve this for search results that contain only one of the keys using timechart and filldown. I cannot see how it can operate on segments of the data independently (by key). The "by" keyword for timechart does not behave like the "by" keyword in stats (a "group by" function).

sundareshr · ‎06-09-2016

See if this works

... | bin span=15m _time | stats last(value) as value by _time key | filldown value | xyseries _time key value

nivek000 · ‎06-09-2016

I do not believe this will work because neither bin nor stats adds rows for missing time entries. This is why I was trying timechart which will provide an entry for every minute even if there is not data - then filldown adds the missing values. But I do not know how to get timechart to do a stats-like "group by" so that the missing times and values are filled in independently for each key.

sundareshr · ‎06-09-2016

You're right. You could try the untable command...

... | timechart values(value) as v  by key | untable _time key v | filldown v | xyseries _time key v

How to write a search to fill in missing data with the last seen value?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!