- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Stop Splunk charts from reporting 0 when no events...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Stop Splunk charts from reporting 0 when no events have happened yet today
Hi,
I'm hoping someone can help me, we have some reporting setup that queries a database once a day after the query and the database is populated the charts are fine but before that time they all report today as 0/null.
Is it possible to not report anything for today until an event happens? So just have yesterdays event and nothing for today.
Thanks,
Steve
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Assuming that I understood your question, and that the data is presented in a dashboard, you should schedule the search that creates the chart in the dashboard. If you set the schedule to run the search once a day, the dashboard should show the latest cached search results, instead of running the search when loading the dashboard.
The trick is to schedule the search to run just after the data is available for searching/reporting.
UPDATE:
Yes. You can do that. Or not. It all depends on the data you have coming in. If you could edit your original question for clarity, and perhaps describe the nature of the data coming in, and what you want out of it.
Perhaps this can help you;
http://docs.splunk.com/Documentation/Splunk/5.0.2/Search/Specifytimemodifiersinyoursearch
or try a subsearch approach (where your_base_search would be something like host=asdf or sourcetype=qwer).
your_base_search earliest=-2w [search your_base_search | head 1 | fields + date_mday ] | the rest of your search
In this case the subsearch will take the first occurrence it finds (head 1) and return the day of the month to the outer search, where it will be added as a search criteria. See:
http://docs.splunk.com/Documentation/Splunk/5.0.2/Search/Aboutsubsearches
To schedule a search: goto Manager -> Searches, click on your search. check the box which says 'schedule this search'. enter a schedule (basic or cron). save.
/K
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
see update above /k
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok is there not a way to tell Splunk to only show data for a particular day when an event happens? For example if my event is at 4pm today it would still show yesterdays data up until the end of the chart until the event? Also, how do you schedule a search?
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
