Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I add empty time buckets to my table?

jedatt01
Builder
‎03-28-2016 08:31 AM

I have a dataset which I cannot use timechart because i'm splitting by two fields. Not all of the values of message have events in all time buckets. Is there a way to add 0 time buckets for each of value of message? 

index=myindex msg_severity=* | bucket span=1m _time | stats count by message msg_severity _time
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jedatt01
Builder
‎03-29-2016 11:27 AM

I just figured out the solution. Somesoni2's response gave me hint. Since msg_severity is always the same for each message, I combined the fields, then ran it through the timechart command. Then untable and wa-lah!

index=myindex msg_severity=* | eval message_severity = message + "|" + msg_severity | timechart span=1m count by message_severity | untable _time message_severity count | eval temp = split(message_severity,"|") | eval message = mvindex(temp,0) | eval msg_severity = mvindex(temp,1) | table _time message msg_severity count

View solution in original post

Reply
Solved! Jump to solution
Solution

jedatt01
Builder
‎03-29-2016 11:27 AM

I just figured out the solution. Somesoni2's response gave me hint. Since msg_severity is always the same for each message, I combined the fields, then ran it through the timechart command. Then untable and wa-lah!

index=myindex msg_severity=* | eval message_severity = message + "|" + msg_severity | timechart span=1m count by message_severity | untable _time message_severity count | eval temp = split(message_severity,"|") | eval message = mvindex(temp,0) | eval msg_severity = mvindex(temp,1) | table _time message msg_severity count
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎03-29-2016 11:50 AM

If there could be more 10 messages possible, then you can include limit=0 in you timechart to ensure you get every message-severity listed for you.

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎03-28-2016 02:32 PM

You need the fillnull command:

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/fillnull

Use it like this:

index=myindex msg_severity=* | fillnull value=NULL message msg_severity | bucket span=1m _time | stats count by message msg_severity _time
0 Karma
Reply
Solved! Jump to solution

jedatt01
Builder
‎03-29-2016 06:12 AM

Not quite there yet. Let me try to explain a little better. Not all of the values of message have entries every minute, so they won't show up in all time buckets. In my resulting table the entries for those time buckets are just missing, example below

_time message    msg_severity count
9:00   message1  error               10
9:01   message1  error               6
9:00   message2  warning          3
9:01   message2  warning          4
9:01   message3  notice              6

The 9:00 entry for message3 is missing. I want the table to look like

_time message    msg_severity count
9:00   message1  error               10
9:01   message1  error               6
9:00   message2  warning          3
9:01   message2  warning          4
9:00   message3  notice              0
9:01   message3  notice              6
0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎03-29-2016 09:46 AM

What's max time range (considering 1m time bucket) and what's the total number of message-msg_severity combination? If either of them is smaller, we can try something with chart command.

0 Karma
Reply
Solved! Jump to solution

jedatt01
Builder
‎03-29-2016 11:10 AM

time range is only 2 minutes. Total message - msg_severity combinations is one. It's always unique. Hope that helps.

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...