https://community.splunk.com/t5/Splunk-Search/Custom-date-should-show-the-timechart-with-0-for-the-non/m-p/356023#M105351 <P>I would suggest keeping it in epoch format, rename to _time and use timechart instead, like this</P> <PRE><CODE>index=aaaa earliest=-28d@d latest=@d | ....your logic to extract timestamp from file name in epoch format ..| | eval _time=customdateinepoch |timechart span=1d count </CODE></PRE> Mon, 23 Apr 2018 14:58:11 GMT somesoni2 2018-04-23T14:58:11Z https://community.splunk.com/t5/Splunk-Search/Custom-date-should-show-the-timechart-with-0-for-the-non/m-p/356020#M105348 <P>Hi,</P> <P>I have a data in which there is a content of the filename with the timestamp in epoch time as below : </P> <P>File generated at : /home/AAA/file_one_573838339.txt<BR /> File generated at : /root/BBB/file_one_5722929299.txt</P> <P>Now, the _time value for both the events are diff. I have converted the epoch time in human readable format and captured in a field called "customdate", now I want to know what is the count of file for each date. </P> <P>I gave .. .index=aaaa earliest=-28d@d latest=@d| ... .| stats count by "customdate"</P> <P>If I give this, I am getting the data for the last 28 days but some times I only see the data for 10 days not for all 28 days.</P> <P>for the missing days, the data is now showing in the graph. it is only showing me the data for which data is present. Kindly help me to get this solved.</P> <P>I should see the data as 0 for the missing days along with the data present in the custom date.</P> Tue, 29 Sep 2020 19:11:58 GMT https://community.splunk.com/t5/Splunk-Search/Custom-date-should-show-the-timechart-with-0-for-the-non/m-p/356020#M105348 abhayneilam 2020-09-29T19:11:58Z https://community.splunk.com/t5/Splunk-Search/Custom-date-should-show-the-timechart-with-0-for-the-non/m-p/356021#M105349 <P>Can you tell me how your extracting _time as epoch? And also what search query you are using for epoch conversion?</P> Mon, 23 Apr 2018 14:07:33 GMT https://community.splunk.com/t5/Splunk-Search/Custom-date-should-show-the-timechart-with-0-for-the-non/m-p/356021#M105349 p_gurav 2018-04-23T14:07:33Z https://community.splunk.com/t5/Splunk-Search/Custom-date-should-show-the-timechart-with-0-for-the-non/m-p/356022#M105350 <P>573838339 and 5722929299 are the epoch time , which we are changing to the customdate field and then doing stats count on that </P> Mon, 23 Apr 2018 14:47:02 GMT https://community.splunk.com/t5/Splunk-Search/Custom-date-should-show-the-timechart-with-0-for-the-non/m-p/356022#M105350 abhayneilam 2018-04-23T14:47:02Z https://community.splunk.com/t5/Splunk-Search/Custom-date-should-show-the-timechart-with-0-for-the-non/m-p/356023#M105351 <P>I would suggest keeping it in epoch format, rename to _time and use timechart instead, like this</P> <PRE><CODE>index=aaaa earliest=-28d@d latest=@d | ....your logic to extract timestamp from file name in epoch format ..| | eval _time=customdateinepoch |timechart span=1d count </CODE></PRE> Mon, 23 Apr 2018 14:58:11 GMT https://community.splunk.com/t5/Splunk-Search/Custom-date-should-show-the-timechart-with-0-for-the-non/m-p/356023#M105351 somesoni2 2018-04-23T14:58:11Z https://community.splunk.com/t5/Splunk-Search/Custom-date-should-show-the-timechart-with-0-for-the-non/m-p/356024#M105352 <P>This is another work around </P> <P>base search |extract epoch format <BR /> | convert ctime(epochfield) as pct |bin pct span=1d | stats count by pct</P> Mon, 23 Apr 2018 15:09:45 GMT https://community.splunk.com/t5/Splunk-Search/Custom-date-should-show-the-timechart-with-0-for-the-non/m-p/356024#M105352 ssadanala1 2018-04-23T15:09:45Z https://community.splunk.com/t5/Splunk-Search/Custom-date-should-show-the-timechart-with-0-for-the-non/m-p/356025#M105353 <P>This will not fix the continuation issue which he was already facing with his stats. Timechart will fill in the gaps in between.</P> Mon, 23 Apr 2018 15:15:08 GMT https://community.splunk.com/t5/Splunk-Search/Custom-date-should-show-the-timechart-with-0-for-the-non/m-p/356025#M105353 somesoni2 2018-04-23T15:15:08Z https://community.splunk.com/t5/Splunk-Search/Custom-date-should-show-the-timechart-with-0-for-the-non/m-p/356026#M105354 <P>This is not working, because if I do like this, all the value is coming as 0 </P> Mon, 23 Apr 2018 15:17:38 GMT https://community.splunk.com/t5/Splunk-Search/Custom-date-should-show-the-timechart-with-0-for-the-non/m-p/356026#M105354 abhayneilam 2018-04-23T15:17:38Z https://community.splunk.com/t5/Splunk-Search/Custom-date-should-show-the-timechart-with-0-for-the-non/m-p/356027#M105355 <P>This is not showing the result as expected as it is not showing the date for which there is no count. I want to have 0 for the dates when you dont have any events !!</P> Mon, 23 Apr 2018 15:22:35 GMT https://community.splunk.com/t5/Splunk-Search/Custom-date-should-show-the-timechart-with-0-for-the-non/m-p/356027#M105355 abhayneilam 2018-04-23T15:22:35Z https://community.splunk.com/t5/Splunk-Search/Custom-date-should-show-the-timechart-with-0-for-the-non/m-p/356028#M105356 <P>Can you share your full query?</P> Mon, 23 Apr 2018 15:24:51 GMT https://community.splunk.com/t5/Splunk-Search/Custom-date-should-show-the-timechart-with-0-for-the-non/m-p/356028#M105356 somesoni2 2018-04-23T15:24:51Z https://community.splunk.com/t5/Splunk-Search/Custom-date-should-show-the-timechart-with-0-for-the-non/m-p/356029#M105357 <P>Thanks for correcting me .</P> Mon, 23 Apr 2018 15:40:01 GMT https://community.splunk.com/t5/Splunk-Search/Custom-date-should-show-the-timechart-with-0-for-the-non/m-p/356029#M105357 ssadanala1 2018-04-23T15:40:01Z