Suppose a search returns the following data:
_time Key Value
10:30:00 Key1 8
10:30:00 Key2 50
10:31:00 Key2 100
10:35:00 Key1 9
10:36:00 Key2 200
I would like to apply a Splunk command to fill in the missing values (by the minute) with the last seen value. So, the results would look like (filled in results in italics):
_time Key Value
10:30:00 Key1 8
10:30:00 Key2 50
10:31:00 Key1 8 *
10:31:00 Key2 100
*10:32:00 Key1 8 *
*10:32:00 Key2 100 *
*10:33:00 Key1 8 *
*10:33:00 Key2 100 *
*10:34:00 Key1 8 *
*10:34:00 Key2 100 *
10:35:00 Key1 9
*10:35:00 Key2 100 *
*10:36:00 Key1 9
10:36:00 Key2 200
Note that I can achieve this for search results that contain only one of the keys using timechart and filldown. I cannot see how it can operate on segments of the data independently (by key). The "by" keyword for timechart does not behave like the "by" keyword in stats (a "group by" function).
... View more