Splunk Search

Force Span to have values

TiagoMatos
Path Finder

Hello!

I'm trying to make a timechart with this:

sourcetype=processedsiebel NOT error*| eval X =replace(SWEMethod, "^(\w+)_@.+$", "\1" ) | timechart usenull=F limit=0 span=1s count by SWEMethod | table SWEMethod

The problem is there are seconds with no activity in any of the SWEMethod elements. So I'm trying to obtain 86400 entries ( a full day) but only 39000 appear. How do I put a 0 on every timeline (second) that has no activity?

Thank you

Tags (2)
0 Karma
1 Solution

jtrucks
Splunk Employee
Splunk Employee

The way I did this is was with just the timechart.

For example, using my irssi IRC logs to reproduce the condition of some empty seconds and multiple values in the field (ircnick in this case) in the results:

| timechart span=1s usenull=f limit=0 count by ircnick

*note: I used a single minute for testing and the result count is 60.

The result looks like (with right side truncated for display purposes):

alt text

--
Jesse Trucks
Minister of Magic

View solution in original post

jtrucks
Splunk Employee
Splunk Employee

The way I did this is was with just the timechart.

For example, using my irssi IRC logs to reproduce the condition of some empty seconds and multiple values in the field (ircnick in this case) in the results:

| timechart span=1s usenull=f limit=0 count by ircnick

*note: I used a single minute for testing and the result count is 60.

The result looks like (with right side truncated for display purposes):

alt text

--
Jesse Trucks
Minister of Magic

TiagoMatos
Path Finder

You're right, that should be totally enough. I definitely have another problem related with the data. The fact I noticed is that I have seconds with count=0 and are shown as well as the others. I'll have to investigate what happened with the data. Thank you very much

TiagoMatos
Path Finder

Ok, I'll try to clarify it: I just want the table of results. So what I expect to get is the number of SWEMethod events in each second, even if there hasn't been any Method of any type. SO I want a 86400 x #SWEMethod matrix.

0 Karma

jtrucks
Splunk Employee
Splunk Employee

I used this same timechart using a dataset I knew would hav enull results for certain seconds, and I still have an entry for every second in the timechart. I tried doing the |table fieldname... but I got 0 results doing that. Are you looking for the timechart output, or just the list of results? The table at the end would just get you the list of results, right? if you need 86400 entries in the table, you might have to do funny stuff with eval to change the value of the count if it is 0.

I'm not entirely clear what the end result you are looking for should be. Could you clarify?

--
Jesse Trucks
Minister of Magic
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...