Splunk Search

preserve original columns after initial search

jimbolya
New Member

I have a search:

index=proxy sourcetype=proxy_logs (url="somewebsite.com:443" OR url=" somewebsite.com:443 " OR url=" somewebsite.com:443 " OR url=" somewebsite.com:443 ")
| timechart count by url span=5 limit=10 useother=f usenull=f

The search runs on a 'Yesterday' time setting.

My issue is this. One day the columns will show all four particular websites.

Somewebsite Somewebsite Somewebsite Somewebsite

On the following day because there was no traffic to one of the sites I'll lose a column and it will show up as

Somewebsite Somewebsite Somewebsite

I need to know how to preserve these columns so that when the data is exported over to another analytics tool the colums are always there even if there was no data.

Any ideas would be great. I'm constantly running into this issue where I need the columns in any search to always be preserved.

0 Karma

jimbolya
New Member

So that created the columns but didn't insert the data...

0 Karma

diogofgm
SplunkTrust
SplunkTrust

use and check coments in my post rather than creating anwsers

------------
Hope I was able to help you. If so, some karma would be appreciated.
0 Karma

jimbolya
New Member

Sounds good. I'll try this later today.

Jimbo

0 Karma

diogofgm
SplunkTrust
SplunkTrust

list your urls using fields

your search 
| fields _time Somewebsite Somewebsite Somewebsite Somewebsite
------------
Hope I was able to help you. If so, some karma would be appreciated.
0 Karma

diogofgm
SplunkTrust
SplunkTrust

this will only fill data to the urls fields that contain data but the all the fields will be there listed so when you export the columns are always there. If you're not getting any data its probably because you are using urls that are not getting data or you are not naming the fields correctly. (e.g. if you url is "somewebsite.com:443" you need to use |fields _time "somewebsite.com:443")
Just look at the fields that your timechart has created

------------
Hope I was able to help you. If so, some karma would be appreciated.
0 Karma

jimbolya
New Member

10 4
Will try that as well.

Thanks!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...