Solved: How to display all data sets for each time bucket ...

DanielFordWA · ‎12-03-2014

I would like to see the following

_time Data1 Data2
2014-10-01 22 1
2014-10-02 32 8
2014-10-03 46 -
2014-10-04 54 10

However when ever I'm using join / append / appendcols I only get the following. The time bucket with no data for one of the Data sets causes the entire bucket not display.

_time Data1 Data2
2014-10-01 22 1
2014-10-02 32 8
2014-10-04 54 10

I have tried fillnull and other methods but I can't get it to work. It seems quite a straight forward thing to do, I think I am missing something.

Hope you can Help!

musskopf · ‎12-03-2014

I suspect you're using join to combine Data1 and Data2 right? If that's the case, are you using the option type=left?

This option basically tells the join keep events even if there is no match on the subsearch. By default join uses type=inner, which means that only joined events will be kept.

View solution in original post

somesoni2 · ‎12-03-2014

What's the query you're executing?

musskopf · ‎12-03-2014

I suspect you're using join to combine Data1 and Data2 right? If that's the case, are you using the option type=left?

This option basically tells the join keep events even if there is no match on the subsearch. By default join uses type=inner, which means that only joined events will be kept.

DanielFordWA · ‎12-18-2014

Thanks for this. I resolved the issues now.

How to display all data sets for each time bucket combined with join, append or appendcols when data for one data set is missing?

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

Splunk APM: New Product Features + Community Office Hours Recap!

Index This | Forward, I’m heavy; backward, I’m not. What am I?