Solved: Re: How can I display zero-value/empty time when u...

knarayana · ‎08-11-2017

Search:

index=* | bin span=1d _time | convert ctime(_time) as Time timeformat=%m/%d/%y |stats  count(eval(searchmatch("(match1)")))  count(eval(searchmatch("(match2)"))) by Time

The query doesn't give me the days that have zero value.

How can I get the stats for every day? And it should show me zero if it is zero on that particular day.

Thanks

sbbadri · ‎08-11-2017

index=* | timechart span=1d count(eval(searchmatch("(match1)"))) count(eval(searchmatch("(match2)"))) | eval _time=strftime(_time,"%m/%d/%Y")

View solution in original post

woodcock · ‎08-11-2017

Use timechart (which creates empty slots by default), like this:

index=*
| timechart span=1d count(eval(searchmatch("(match1)"))) AS match1 count(eval(searchmatch("(match2)"))) AS match2
| rename _time AS Time
| fieldformat Time=strftime(Time, "%m/%d/%y")

sbbadri · ‎08-11-2017

index=* | timechart span=1d count(eval(searchmatch("(match1)"))) count(eval(searchmatch("(match2)"))) | eval _time=strftime(_time,"%m/%d/%Y")

How can I display zero-value/empty time when using stats?

Accelerating Observability as Code with the Splunk AI Assistant

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!

Join the Conversation

How can I display zero-value/empty time when using stats?

Accelerating Observability as Code with the Splunk AI Assistant

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!