topic Re: Results for each minute in an hour (even if there's no data) in Splunk Search

Results for each minute in an hour (even if there's no data)

patilsh — Fri, 08 Sep 2017 21:18:53 GMT

Hello All,

Suppose I want a search results for past 60minutes, how spunk works now is if there is any event in past 60mins then that is displayed.

But what i want is Suppose time is 4pm and I give past 60mins, Splunk should start the data from 4:00, 4:01...... and so on till 5:00 irrespective of data is present or not, if data is not present then the result should give time with corresponding columns blank.

Can someone please help mw on this.

Re: Results for each minute in an hour (even if there's no data)

lfedak_splunk — Fri, 08 Sep 2017 21:39:36 GMT

Hey @patilsh, The comments on this post show each count by minute and then a second comment explains how to show the minutes without values
https://answers.splunk.com/answers/227568/how-to-edit-my-search-to-return-one-count-for-each.html

Re: Results for each minute in an hour (even if there's no data)

s2_splunk — Fri, 08 Sep 2017 22:04:38 GMT

If it's 4pm and you say 'past 60mins', Splunk will return data from 3pm-4pm. Not sure I understand what you are trying to do.

Re: Results for each minute in an hour (even if there's no data)

woodcock — Fri, 08 Sep 2017 22:06:12 GMT

Just add this:

| timechart span=1m count

Re: Results for each minute in an hour (even if there's no data)

mtranchita — Sat, 09 Sep 2017 23:32:47 GMT

If I follow the desired outcome he would need to include usenull
so something like:
| timechart usenull=1 span=1m count

Re: Results for each minute in an hour (even if there's no data)

DalJeanis — Sun, 10 Sep 2017 02:55:36 GMT

That depends on what you mean by "corresponding columns".

If you have very sparse events, and are wanting to show the details for the events when they are present, but show blank lines with the _time if they are not, then you can do this...

your search
| fields field1 field2 field3 field4
| append 
    [|makeresults 
     | addinfo 
     | eval mystart=relative_time(info_min_time,"@m")
     | eval myend=relative_time(info_max_time,"@m+61s")
     | eval mytimes=mvrange(mystart,myend,60)
     | table mytimes
     | mvexpand mytimes
     | rename mytimes as _time
     ]
| table _time field1 field2 field3 field4
| fillnulls value=""
| stats max(*) as * by _time

Some of that is unnecessary if you are using a stats command already,though.

your search
| fields foo bar
| bin _time span=1m
| stats count as mycount avg(foo) as avgfoo sum(bar) as sumbar by _time 
| append
    [|makeresults 
     | addinfo 
     | eval mystart=relative_time(info_min_time,"@m")
     | eval myend=relative_time(info_max_time,"@m+61s")
     | eval mytimes=mvrange(mystart,myend,60)
     | table mytimes
     | mvexpand mytimes
     | rename mytimes as _time
     | eval mycount = 0 
     ]
| stats sum(mycount) as count max(avgfoo) as avgfoo max(sumbar) as sumbar by _time

Re: Results for each minute in an hour (even if there's no data)

patilsh — Tue, 12 Sep 2017 04:48:05 GMT

time chart gives continuous value after the first entry is found:

For example is say present time is 9pm and I want 60minutes ago data, i.e data from 8pm

But if the first entry is 8:10pm , timechart will give all the values from 8:10 till 9pm irrespective of data is present or not, but I also want blank entries from 8:00 to 8:10 pm as well

Re: Results for each minute in an hour (even if there's no data)

patilsh — Tue, 29 Sep 2020 15:43:25 GMT

Hey,

can you please tell me what is info_min_time and info_max_time?