topic Re: Removing empty bins in timechart in Splunk Search

Removing empty bins in timechart

dtow1 — Tue, 29 Sep 2020 20:30:56 GMT

Hello,

I am unable to eliminate empty buckets using the timechart command since moving to Splunk 7.0. For example in the below query I will see a gap for Tuesday and a continuous line from the Monday value to the Wednesday value. I'd like the chart (in this example) to not show Tuesday at all, just go from Monday to Wednesday. This used to work in older versions, so is there a modification needed to get this to work in Splunk 7.0+.

Thanks for any assistance.

index="_audit" | timechart cont=false count(date_wday) by date_wday | eval date_wday=lower(strftime(_time,"%A")) | where (date_wday!="tuesday") | fields - date_wday

Re: Removing empty bins in timechart

skoelpin — Wed, 18 Jul 2018 18:47:56 GMT

If you use stats this will give you what you're looking for

index="_audit" 
| stats count(date_wday) by date_wday 
| eval date_wday=lower(strftime(_time,"%A")) 
| where (date_wday!="tuesday") 
| fields - date_wday

Re: Removing empty bins in timechart

skoelpin — Tue, 24 Jul 2018 16:14:56 GMT

@dtow1 did this help you?

Re: Removing empty bins in timechart

dtow1 — Tue, 24 Jul 2018 16:31:59 GMT

Hi skoelpin,

Unfortunately it did not. I'm still playing around with it though and if the solution comes out of a modification of what you posted I will accept it as the answer and update it with whatever the total solution is.

Re: Removing empty bins in timechart

dtow1 — Tue, 24 Jul 2018 16:32:29 GMT

Thank you for answering though and giving me other avenues to try.

Re: Removing empty bins in timechart

DalJeanis — Tue, 24 Jul 2018 16:47:12 GMT

You are working too hard. timechart will already bin the days for you automatically, so it doesn't make sense for you to be binning the count up by date_wday.

Use this if you are only doing your count by day:

index="_audit" 
| timechart span=d count 
| where count>0

On the other hand, if you are doing your count by hour, and also want to eliminate days where there were no count at all, then you need something slightly more complex.

index="_audit" 
| timechart span=h count as mycount 
| bin _time span=1d as Day 
| eventstats sum(mycount) as Daycount by Day 
| where Daycount > 0 
| fields - Day Daycount

And if you just want to kill Tuesday July 17, 2018 , for no particular reason, then you could do this...

index="_audit" 
| timechart span=h count as mycount 
| where strftime(_time,"%Y-%m-%d") != "2018-07-24"

Re: Removing empty bins in timechart

woodcock — Tue, 24 Jul 2018 18:42:03 GMT

You are looking at it the wrong way. Run for Last 7 days and check out the difference (note cont=) in the number of ROWS between this search:

index="_audit" 
| eval date_wday=lower(strftime(_time,"%A")) 
| where (date_wday!="tuesday") 
| timechart span=1d cont=false count(date_wday) by date_wday

And this search:

index="_audit" 
| eval date_wday=lower(strftime(_time,"%A")) 
| where (date_wday!="tuesday") 
| timechart span=1d cont=true count(date_wday) by date_wday

Re: Removing empty bins in timechart

dtow1 — Fri, 27 Jul 2018 15:27:18 GMT

Thanks for the answer, unfortunately I still see the day that I want to remove when I use this. No values show for the day, but the day is still present in the chart.

Re: Removing empty bins in timechart

dtow1 — Fri, 27 Jul 2018 15:27:40 GMT

Thanks for answering, this still has the same issue that for me though.

Re: Removing empty bins in timechart

dtow1 — Tue, 07 Aug 2018 22:45:25 GMT

Working with Splunk support, it appears that it is a bug. Thank you very much for taking the time to answer.

Re: Removing empty bins in timechart

dtow1 — Tue, 07 Aug 2018 22:46:00 GMT

Thank you for answering. It turns out that it is a bug.

Re: Removing empty bins in timechart

dtow1 — Tue, 07 Aug 2018 22:46:45 GMT

Thank you for answering. It turns out that the issue is a bug in our environment.