Re: Results for each minute in an hour (even if th...

patilsh · ‎09-08-2017

Hello All,

Suppose I want a search results for past 60minutes, how spunk works now is if there is any event in past 60mins then that is displayed.

But what i want is Suppose time is 4pm and I give past 60mins, Splunk should start the data from 4:00, 4:01...... and so on till 5:00 irrespective of data is present or not, if data is not present then the result should give time with corresponding columns blank.

Can someone please help mw on this.

DalJeanis · ‎09-09-2017

That depends on what you mean by "corresponding columns".

If you have very sparse events, and are wanting to show the details for the events when they are present, but show blank lines with the _time if they are not, then you can do this...

your search
| fields field1 field2 field3 field4
| append 
    [|makeresults 
     | addinfo 
     | eval mystart=relative_time(info_min_time,"@m")
     | eval myend=relative_time(info_max_time,"@m+61s")
     | eval mytimes=mvrange(mystart,myend,60)
     | table mytimes
     | mvexpand mytimes
     | rename mytimes as _time
     ]
| table _time field1 field2 field3 field4
| fillnulls value=""
| stats max(*) as * by _time

Some of that is unnecessary if you are using a stats command already,though.

your search
| fields foo bar
| bin _time span=1m
| stats count as mycount avg(foo) as avgfoo sum(bar) as sumbar by _time 
| append
    [|makeresults 
     | addinfo 
     | eval mystart=relative_time(info_min_time,"@m")
     | eval myend=relative_time(info_max_time,"@m+61s")
     | eval mytimes=mvrange(mystart,myend,60)
     | table mytimes
     | mvexpand mytimes
     | rename mytimes as _time
     | eval mycount = 0 
     ]
| stats sum(mycount) as count max(avgfoo) as avgfoo max(sumbar) as sumbar by _time

patilsh · ‎09-11-2017

Hey,

can you please tell me what is info_min_time and info_max_time?

woodcock · ‎09-08-2017

Just add this:

| timechart span=1m count

patilsh · ‎09-11-2017

time chart gives continuous value after the first entry is found:

For example is say present time is 9pm and I want 60minutes ago data, i.e data from 8pm

But if the first entry is 8:10pm , timechart will give all the values from 8:10 till 9pm irrespective of data is present or not, but I also want blank entries from 8:00 to 8:10 pm as well

mtranchita · ‎09-09-2017

If I follow the desired outcome he would need to include usenull
so something like:
| timechart usenull=1 span=1m count

s2_splunk · ‎09-08-2017

If it's 4pm and you say 'past 60mins', Splunk will return data from 3pm-4pm. Not sure I understand what you are trying to do.

lfedak_splunk · ‎09-08-2017

Hey @patilsh, The comments on this post show each count by minute and then a second comment explains how to show the minutes without values
https://answers.splunk.com/answers/227568/how-to-edit-my-search-to-return-one-count-for-each.html

Results for each minute in an hour (even if there's no data)

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!