Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to show computer in horizontal chart event if there are 0 events

LyDang
Explorer
‎08-23-2022 01:07 AM

I want to have a graph where where you can easily see when that system is no longer taking kerberos authentications.  But when it doesn't show anything for over 12h, then that object is no longer in that graph. Is there a way to keep my servers showing even if there are 0 events for that time period?

index=perfmon source="Perfmon:Security System-Wide Statistics" counter="Kerberos Authentications" earliest=-12h latest=now
[inputlookup Prod_DC.csv]
| eval host=lower(host)
|bucket span=5m time | stats count by _time,host|eval count=if(count>0,1,0)
|timechart span=5m limit=0 last(count) by host

Labels (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎08-23-2022 09:06 PM

This is another way of appending the columns for any MISSING hosts entirely.

The first timechart + fillnull will create the gaps for all hosts found, but then the final appendcols will add in columns for any missing hosts

| makeresults count=50
| eval _time=now()-((random() % 62) * 60)
| eval host=mvindex(split("hosta,hostb,hostc",","), random() % 3) 
| bin _time span=5m 
| stats count by _time,host
| eval count=if(count>0,1,0)
|timechart span=5m limit=0 last(count) by host
| fillnull
| appendcols [
  | makeresults
  | eval host=split("hosta,hostb,hostc,hostd",",")
  | mvexpand host
  | eval count=0
  | chart values(count) as count over _time by host
]
| filldown

 Hopefully these will give you something to work with

View solution in original post

Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
‎08-23-2022 01:43 AM

To show something that doesn't exist means you have to add that 'known' component back in. That means after your search you have to add back all the hosts you expect to see. If your hosts are in Prod_DC.csv you will need to append that data then massage the results with something like the method below for a simple stats collection

....
| append [
  | inputlookup Prod_DC.csv
  | eval count=0
]
| stats max(count) as count by host

 

0 Karma
Reply
Solved! Jump to solution

LyDang
Explorer
‎08-23-2022 06:24 PM

The problem is that I have:

|bucket span=5m time | stats count by _time,host|eval count=if(count>0,1,0)

I think this put events in 5m time slots.

 

I want a chart that will tell me every 5 minutes if 1/There are any events or 2/There are 0 events.

Also to have the server on the list if 0 events for that 12 hours.

 

0 Karma
Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎08-23-2022 09:06 PM

This is another way of appending the columns for any MISSING hosts entirely.

The first timechart + fillnull will create the gaps for all hosts found, but then the final appendcols will add in columns for any missing hosts

| makeresults count=50
| eval _time=now()-((random() % 62) * 60)
| eval host=mvindex(split("hosta,hostb,hostc",","), random() % 3) 
| bin _time span=5m 
| stats count by _time,host
| eval count=if(count>0,1,0)
|timechart span=5m limit=0 last(count) by host
| fillnull
| appendcols [
  | makeresults
  | eval host=split("hosta,hostb,hostc,hostd",",")
  | mvexpand host
  | eval count=0
  | chart values(count) as count over _time by host
]
| filldown

 Hopefully these will give you something to work with

Reply
Solved! Jump to solution

LyDang
Explorer
‎08-23-2022 10:27 PM

That works for me! Many thanks 😀

0 Karma
Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
‎08-23-2022 08:21 PM

Here's one example of how to fill in gaps

| makeresults count=50
| eval _time=now()-((random() % 60) * 60)
| eval host=mvindex(split("hosta,hostb,hostc",","), random() % 3) 
| bin _time span=5m 
| stats count by _time,host
| eval count=if(count>0,1,0)
| append [
  | makeresults
  | eval host=split("hosta,hostb,hostc",",")
  | addinfo
  | eval time_window = info_max_time - info_min_time
  | eval bin_count = round(time_window / 300)
  | mvexpand host
  | eval bins=mvrange(1, bin_count + 1, 1)
  | mvexpand bins
  | eval _time=now() - (bins * 300)
  | eval count = 0, dummy=1
  | fields _time host count 
]
| bin _time span=5m 
| stats max(count) as count by _time,host
|timechart span=5m limit=0 last(count) by host

It generates the additional check data in the append by taking all the 'known' hosts and creating extra rows on the end for each 5 minute bin within the search window, and then stats joins them back together - then you can use your timechart at the end

There's probably another way to fill the gaps - there always is with Splunk

 

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...