Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I display zero-value/empty time when using stats?

knarayana
New Member
‎08-11-2017 09:47 AM

Search:

index=* | bin span=1d _time | convert ctime(_time) as Time timeformat=%m/%d/%y |stats  count(eval(searchmatch("(match1)")))  count(eval(searchmatch("(match2)"))) by Time

The query doesn't give me the days that have zero value.

How can I get the stats for every day? And it should show me zero if it is zero on that particular day.

Thanks

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sbbadri
Motivator
‎08-11-2017 10:35 AM

index=* | timechart span=1d count(eval(searchmatch("(match1)"))) count(eval(searchmatch("(match2)"))) | eval _time=strftime(_time,"%m/%d/%Y")

View solution in original post

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎08-11-2017 10:42 AM

Use timechart (which creates empty slots by default), like this:

index=*
| timechart span=1d count(eval(searchmatch("(match1)"))) AS match1 count(eval(searchmatch("(match2)"))) AS match2
| rename _time AS Time
| fieldformat Time=strftime(Time, "%m/%d/%y")
0 Karma
Reply
Solved! Jump to solution
Solution

sbbadri
Motivator
‎08-11-2017 10:35 AM

index=* | timechart span=1d count(eval(searchmatch("(match1)"))) count(eval(searchmatch("(match2)"))) | eval _time=strftime(_time,"%m/%d/%Y")

0 Karma
Reply
*NEW* Splunk Love Promo!
Snag a $25 Visa Gift Card for Giving Your Review!

It's another Splunk Love Special! For a limited time, you can review one of our select Splunk products through Gartner Peer Insights and receive a $25 Visa gift card!

Review:





Or Learn More in Our Blog >>

Get Updates on the Splunk Community!