Solved: Re: How can I display zero-value/empty time when u...

knarayana · ‎08-11-2017

Search:

index=* | bin span=1d _time | convert ctime(_time) as Time timeformat=%m/%d/%y |stats  count(eval(searchmatch("(match1)")))  count(eval(searchmatch("(match2)"))) by Time

The query doesn't give me the days that have zero value.

How can I get the stats for every day? And it should show me zero if it is zero on that particular day.

Thanks

sbbadri · ‎08-11-2017

index=* | timechart span=1d count(eval(searchmatch("(match1)"))) count(eval(searchmatch("(match2)"))) | eval _time=strftime(_time,"%m/%d/%Y")

View solution in original post

woodcock · ‎08-11-2017

Use timechart (which creates empty slots by default), like this:

index=*
| timechart span=1d count(eval(searchmatch("(match1)"))) AS match1 count(eval(searchmatch("(match2)"))) AS match2
| rename _time AS Time
| fieldformat Time=strftime(Time, "%m/%d/%y")

sbbadri · ‎08-11-2017

index=* | timechart span=1d count(eval(searchmatch("(match1)"))) count(eval(searchmatch("(match2)"))) | eval _time=strftime(_time,"%m/%d/%Y")

How can I display zero-value/empty time when using stats?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

Monitoring AI Agents with Splunk Observability Cloud

Join the Conversation