Solved: How to write a search to identify periods with no ...

evelenke · ‎08-31-2016

Hi, Splunkers!

I have log where some different events (event A, event B, event C...) are expected to be generated periodically .
Now I want to calculate number of appearances of each event per_hour and identify, what of events did not appear in this particular time chunks and create report.
Like this:

time                   event      count
2016-08-31 22:00;00    event_A    0
2016-08-31 22:00;00    event_B    1
2016-08-31 22:00;00    event_C    3
2016-08-31 23:00;00    event_A    2
...

What I've tried:
1. | bucket _time span=1h | stats count by event _time | sort event by _time
This do not return zero values of count (e.g. time: "2016-08-31 22:00:00" event: "event_A" count: 0)
2. chart or timechart span=1h count by event helps only to visually identify my zero points, but I need an inline table view,
3. stats latest(_time) by event | eval diff=now()-latest ... not an option as this is required for historical data.

Do I miss something? How can I get result alike presented above?

sundareshr · ‎08-31-2016

Try this

... | timechart span=1h cont=t count by event | untable _time event count

View solution in original post

sundareshr · ‎08-31-2016

Try this

... | timechart span=1h cont=t count by event | untable _time event count

evelenke · ‎09-01-2016

This is it, thank you!

How to write a search to identify periods with no events in historical data?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!