Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Chart- return all cell==0

maayan
Path Finder
‎01-10-2024 12:11 AM

Hi,

I need to find all time_interval for each machine where there is no data (no row for Name) .
(to goal is to create an alert if there was no data in a time interval for a machine)

for example, if we look at one day and machine X.
if there was data in time interval 8:00-10:00, 10:00-12:00.
I need to return X and the rest of the interval (12:00-1:00,1:00-2:00,..)

i wrote the following command: 
| chart count(Name) over machine by time_interval

i get a table with all interval and machines. cell=0 if there is no data.
i want to return all cell =0 (i need the interval and machine where cell=0)
but i didn't succeed.

i also tried to save the query and do left join but it doenst work.
it's a very simple mission, some can help me with that?

thanks,
Maayan

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎01-10-2024 03:40 AM 
| eval _time=strptime(TimeStamp, "%F %T")

| timechart span=12h count(Name) AS CountEvents by machine cont=t usenull=f useother=f

| untable _time machine count
| where count == 0

View solution in original post

Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎01-10-2024 01:07 AM 
| timechart span=2h count(Name) by machine
0 Karma
Reply
Solved! Jump to solution

maayan
Path Finder
‎01-10-2024 02:11 AM

thanks! i use TimeStamp and not _time.
how do i use it in my query?

 

| addinfo
| fieldformat info_min_time=strftime(info_min_time,"%c")
| fieldformat info_max_time=strftime(info_max_time,"%c")

| where strptime(TimeStamp,"%F %T.%3N")>info_min_time AND strptime(TimeStamp,"%F %T.%3N")<info_max_time

```Divide the time to intervals ```
| eval TimeStamp_epoch = strptime(TimeStamp, "%F %T")
| bin TimeStamp_epoch span=2d 
| eval interval_start = strftime(TimeStamp_epoch, "%F %T")
| eval interval_end = strftime(relative_time(TimeStamp_epoch, "+2d"), "%F %T") 
| eval interval_end = if(strptime(interval_end, "%F %T") > now(), strftime(now(), "%F %T"), interval_end)
| eval time_interval = interval_start . " to " . interval_end

| chart count(Name) over machine by time_interval
0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎01-10-2024 02:15 AM

Use _time, then timechart will fill in the blanks for you

| eval _time=strptime(TimeStamp, "%F %T")
| timechart span=2h count(Name) by machine
0 Karma
Reply
Solved! Jump to solution

maayan
Path Finder
‎01-10-2024 03:28 AM

thanks! 🙂

i don't get all cells=0, no results when using the where clause (if i remove `where` i see that cells==0 exist) . i found a ticket: https://community.splunk.com/t5/Splunk-Search/How-to-show-only-fields-over-0/m-p/164589
maybe i can't do it with timechat?


| eval _time=strptime(TimeStamp, "%F %T")

| timechart span=12h count(Name) AS CountEvents by machine cont=t usenull=f useother=f

| where CountEvents=0

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎01-10-2024 03:40 AM 
| eval _time=strptime(TimeStamp, "%F %T")

| timechart span=12h count(Name) AS CountEvents by machine cont=t usenull=f useother=f

| untable _time machine count
| where count == 0
Reply
Solved! Jump to solution

maayan
Path Finder
‎01-10-2024 03:52 AM

i will do validations but i think that it works , thanks! 🙂

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...