Solved: Show all buckets of _time in visualization includi...

jcrochon · ‎09-05-2017

Hello Splunker,

I'm trying to display a 'timestamp, event count' visualization including counts of zero events

host="[redacted]" src_port=* | bucket _time span=1h | stats count by _time | eval _time=strftime(_time, "%Y-%m-%d %H:%M")

Results
2017-09-05 12:00 2
2017-09-05 13:00 1
2017-09-05 16:00 1

Expected Results
2017-09-05 12:00 2
2017-09-05 13:00 1
2017-09-05 14:00 0
2017-09-05 15:00 0
2017-09-05 16:00 1

DalJeanis · ‎09-05-2017

Try this -

host="[redacted]" src_port=* 
| bucket _time span=1h 
| stats count as mycount by _time 
| appendpipe 
    [| stats min(_time) as mintime max(_time) as maxtime 
     | eval maxtime=maxtime+1 
     | eval mytime=mvrange(mintime, maxtime,3600) 
     | mvexpand mytime 
     | eval _time=mytime 
     | eval mycount=0 
     | table _time mycount
     ]
| stats sum(mycount) as mycount by _time 
| eval _time=strftime(_time, "%Y-%m-%d %H:%M")

View solution in original post

DalJeanis · ‎09-05-2017

Try this -

host="[redacted]" src_port=* 
| bucket _time span=1h 
| stats count as mycount by _time 
| appendpipe 
    [| stats min(_time) as mintime max(_time) as maxtime 
     | eval maxtime=maxtime+1 
     | eval mytime=mvrange(mintime, maxtime,3600) 
     | mvexpand mytime 
     | eval _time=mytime 
     | eval mycount=0 
     | table _time mycount
     ]
| stats sum(mycount) as mycount by _time 
| eval _time=strftime(_time, "%Y-%m-%d %H:%M")

Show all buckets of _time in visualization including zero counts

What the End of Support for Splunk Add-on Builder Means for You

Solve, Learn, Repeat: New Puzzle Channel Now Live

Building Reliable Asset and Identity Frameworks in Splunk ES

Are you a member of the Splunk Community?

Show all buckets of _time in visualization including zero counts

What the End of Support for Splunk Add-on Builder Means for You

Solve, Learn, Repeat: New Puzzle Channel Now Live

Building Reliable Asset and Identity Frameworks in Splunk ES