search showing times when raw events were 0

Skins · ‎05-08-2018

Looking to do a search which shows start time and end time when _raw events were 0 over a say 24hr period.

Trying to find out when and how often my events drop to 0 for specific hosts

gratzi

FrankVl · ‎05-09-2018

I'd start with:

| tstats count where index=foo host=bar by _time | timechart sum(count) as count

And then either inspect a visualization, or do some further filtering on those results to find periods where count is 0.

xpac · ‎05-09-2018

You might need to add prestats=true right after tstats, don't you?

FrankVl · ‎05-09-2018

Why? I've never used that setting before to be honest. I just tried it but don't see what value it adds to just the plain approach I suggested?

xpac · ‎05-09-2018

From the docs:

Specifies whether to use the prestats format. The prestats format is a Splunk internal format that is designed to be consumed by commands that generate aggregate calculations. When using the prestats format you can pipe the data into the chart, stats, or timechart commands, which are designed to accept the prestats format. When prestats=true, AS instructions are not relevant. The field names for the aggregates are determined by the command that consumes the prestats format and produces the aggregate output.

I understood it as it is required for timechart etc. to properly work on tstats data, and at least once had trouble when not using it, because the output was wrong. Maybe it's only needed if you use specific features of timechart? Just wanted to mention it exists, in case you run into trouble when not using it 🙂

FrankVl · ‎05-09-2018

Yeah, I read that as well and it isn't really making it any clearer for me 😄

search showing times when raw events were 0

Splunk Custom Visualizations App End of Life

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk