Solved: Show all buckets of _time in visualization includi...

jcrochon · ‎09-05-2017

Hello Splunker,

I'm trying to display a 'timestamp, event count' visualization including counts of zero events

host="[redacted]" src_port=* | bucket _time span=1h | stats count by _time | eval _time=strftime(_time, "%Y-%m-%d %H:%M")

Results
2017-09-05 12:00 2
2017-09-05 13:00 1
2017-09-05 16:00 1

Expected Results
2017-09-05 12:00 2
2017-09-05 13:00 1
2017-09-05 14:00 0
2017-09-05 15:00 0
2017-09-05 16:00 1

DalJeanis · ‎09-05-2017

Try this -

host="[redacted]" src_port=* 
| bucket _time span=1h 
| stats count as mycount by _time 
| appendpipe 
    [| stats min(_time) as mintime max(_time) as maxtime 
     | eval maxtime=maxtime+1 
     | eval mytime=mvrange(mintime, maxtime,3600) 
     | mvexpand mytime 
     | eval _time=mytime 
     | eval mycount=0 
     | table _time mycount
     ]
| stats sum(mycount) as mycount by _time 
| eval _time=strftime(_time, "%Y-%m-%d %H:%M")

View solution in original post

DalJeanis · ‎09-05-2017

Try this -

host="[redacted]" src_port=* 
| bucket _time span=1h 
| stats count as mycount by _time 
| appendpipe 
    [| stats min(_time) as mintime max(_time) as maxtime 
     | eval maxtime=maxtime+1 
     | eval mytime=mvrange(mintime, maxtime,3600) 
     | mvexpand mytime 
     | eval _time=mytime 
     | eval mycount=0 
     | table _time mycount
     ]
| stats sum(mycount) as mycount by _time 
| eval _time=strftime(_time, "%Y-%m-%d %H:%M")

Show all buckets of _time in visualization including zero counts

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation