topic Re: How can I add empty time buckets to my table? in Deployment Architecture

How can I add empty time buckets to my table?

jedatt01 — Mon, 28 Mar 2016 15:31:40 GMT

I have a dataset which I cannot use timechart because i'm splitting by two fields. Not all of the values of message have events in all time buckets. Is there a way to add 0 time buckets for each of value of message?

index=myindex msg_severity=* | bucket span=1m _time | stats count by message msg_severity _time

Re: How can I add empty time buckets to my table?

woodcock — Mon, 28 Mar 2016 21:32:59 GMT

You need the fillnull command:

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/fillnull

Use it like this:

index=myindex msg_severity=* | fillnull value=NULL message msg_severity | bucket span=1m _time | stats count by message msg_severity _time

Re: How can I add empty time buckets to my table?

jedatt01 — Tue, 29 Mar 2016 13:12:54 GMT

Not quite there yet. Let me try to explain a little better. Not all of the values of message have entries every minute, so they won't show up in all time buckets. In my resulting table the entries for those time buckets are just missing, example below

_time message    msg_severity count
9:00   message1  error               10
9:01   message1  error               6
9:00   message2  warning          3
9:01   message2  warning          4
9:01   message3  notice              6

The 9:00 entry for message3 is missing. I want the table to look like

_time message    msg_severity count
9:00   message1  error               10
9:01   message1  error               6
9:00   message2  warning          3
9:01   message2  warning          4
9:00   message3  notice              0
9:01   message3  notice              6

Re: How can I add empty time buckets to my table?

somesoni2 — Tue, 29 Mar 2016 16:46:19 GMT

What's max time range (considering 1m time bucket) and what's the total number of message-msg_severity combination? If either of them is smaller, we can try something with chart command.

Re: How can I add empty time buckets to my table?

jedatt01 — Tue, 29 Mar 2016 18:10:09 GMT

time range is only 2 minutes. Total message - msg_severity combinations is one. It's always unique. Hope that helps.

Re: How can I add empty time buckets to my table?

jedatt01 — Tue, 29 Mar 2016 18:27:51 GMT

I just figured out the solution. Somesoni2's response gave me hint. Since msg_severity is always the same for each message, I combined the fields, then ran it through the timechart command. Then untable and wa-lah!

index=myindex msg_severity=* | eval message_severity = message + "|" + msg_severity | timechart span=1m count by message_severity | untable _time message_severity count | eval temp = split(message_severity,"|") | eval message = mvindex(temp,0) | eval msg_severity = mvindex(temp,1) | table _time message msg_severity count

Re: How can I add empty time buckets to my table?

somesoni2 — Tue, 29 Mar 2016 18:50:59 GMT

If there could be more 10 messages possible, then you can include limit=0 in you timechart to ensure you get every message-severity listed for you.