Solved: How can I display zero-value/empty time when using...

knarayana · ‎08-11-2017

Search:

index=* | bin span=1d _time | convert ctime(_time) as Time timeformat=%m/%d/%y |stats  count(eval(searchmatch("(match1)")))  count(eval(searchmatch("(match2)"))) by Time

The query doesn't give me the days that have zero value.

How can I get the stats for every day? And it should show me zero if it is zero on that particular day.

Thanks

sbbadri · ‎08-11-2017

index=* | timechart span=1d count(eval(searchmatch("(match1)"))) count(eval(searchmatch("(match2)"))) | eval _time=strftime(_time,"%m/%d/%Y")

View solution in original post

woodcock · ‎08-11-2017

Use timechart (which creates empty slots by default), like this:

index=*
| timechart span=1d count(eval(searchmatch("(match1)"))) AS match1 count(eval(searchmatch("(match2)"))) AS match2
| rename _time AS Time
| fieldformat Time=strftime(Time, "%m/%d/%y")

sbbadri · ‎08-11-2017

index=* | timechart span=1d count(eval(searchmatch("(match1)"))) count(eval(searchmatch("(match2)"))) | eval _time=strftime(_time,"%m/%d/%Y")

How can I display zero-value/empty time when using stats?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Detection Engineering Office Hours: Real-World Troubleshooting & Q&A

Developer Spotlight with Mika Borner

Join the Conversation