topic Re: Back fill of data in timerange in Splunk Search

Back fill of data in timerange

smanojkumar — Mon, 03 Mar 2025 10:21:33 GMT

Hello Splunkers,

I'm having a logs which will be generated only where there is change in system,

6:01:01 - System Stop
10:54:01 - System Start
13:09:04 - System Stop
16:01:01 - System Start
17:01:01 - System Stop

These are the logs.

Lets say If I'm searchit it in a chart, for the timerange from 7Am - 4Pm

the chart from 8Am until 10:54:01 Am is empty since the previous event was generated at 6:01:01, so there is a gap.

I would like to fix this. In some cases only 2 values is been repeated, so we can take the one in present, the past can be its opposite.

Eg - At 10:54:01 - System Start, We have received this log, where the system is start, the previous one will be stop.

These are fixed for some cased, I need two best solutions, only for this scenario, other for multiple values, like these

14:01:01 - System Started
17:54:01 - System reset
22:09:04 - System Stop
23:01:01 - System Started
01:01:01 - System Stop

wheres here I'm getting three values like Started, Stop and reset.

Thanks in Advance!

Re: Back fill of data in timerange

livehybrid — Mon, 03 Mar 2025 10:23:23 GMT

Hi @smanojkumar

I may have misunderstood, but If you want the search to include the event at 6AM then you will need to change the earliest time within the search to cover this event.

Feel free to share a screenshot example of what you are seeing to help explain the difference to your expectation/intention.

Please let me know how you get on and consider adding karma to this or any other answer if it has helped.
Regards

Will

Re: Back fill of data in timerange

ITWhisperer — Mon, 03 Mar 2025 10:28:43 GMT

Please clarify what you want Splunk to assume in the second case, for example, if the search was from 21:00, would you want Splunk to assume the previous state was "System reset" or "System Start"?

Do you want to search for a longer period of time to try and find the previous state, and then remove these results from the chart?

Re: Back fill of data in timerange

smanojkumar — Mon, 03 Mar 2025 11:21:01 GMT

Hello @ITWhisperer ,

Thanks for your reply.

17:54:01 - System reset
22:09:04 - System Stop
23:01:01 - System Started
01:01:01 - System Stop

In case of from 21:00, I need to take as System reset and followed by other values.

Actually I just need to fill the value, even the logs weren't there in teh selcted timerange.

Thanks!

Re: Back fill of data in timerange

ITWhisperer — Mon, 03 Mar 2025 11:26:09 GMT

How does Splunk know what the previous state was unless it is included in the search?

For example, if the first state is "System Stop" and the system was reset 3 days, or 3 weeks, or 3 months ago, what do you want Splunk to report?

Re: Back fill of data in timerange

smanojkumar — Mon, 03 Mar 2025 11:49:26 GMT

Hello @ITWhisperer ,

Thanks for asking!

You are right.., It will be like, the next event will be received within 3 days, it wont take more time at wrost cases.

I'm using those values in the chart, when we are searching with less time range, I can't see the logs of the timerange in that time range because of the gap in logs,

I have listed two scenarious, As per the scenario1, The perevious value is just a opposite value of the next one.

Scenario 2 is bit hard, having multiple values, which can be generated before 3 days at wrost cases.

Thansk!

Re: Back fill of data in timerange

ITWhisperer — Mon, 03 Mar 2025 12:17:30 GMT

For the first case, try something like this