Add zero value when using _time field

whitefang1726 · ‎04-27-2021

When using stats count on searches, it does not show zero values on specific time intervals.

Example:
index=main sourcetype=test (event=eventA OR eventB)
| bin _time span=1h
| stats count by _time, event

Sample Result:

_time Event count
04/27 1:00AM EventA 10
04/27 2:00AM EventA 10
04/27 1:00AM EventB 10

How can I show row with zero value?
_time Event count
04/27 1:00AM EventA 10
04/27 2:00AM EventA 10
04/27 3:00AM EventA 0
04/27 1:00AM EventB 10
04/27 2:00AM EventB 0
04/27 3:00AM EventB 0

richgalloway · ‎04-27-2021

The stats command will not fill in missing values, but timechart will.

index=main sourcetype=test (event=eventA OR eventB)
| timechart span=1h count by event

---
If this reply helps you, Karma would be appreciated.

whitefang1726 · ‎04-27-2021

I was expecting a non-timechart command, but that works. Better than creating long queries. 😄

Thanks!

richgalloway · ‎04-28-2021

If your problem is resolved, then please click the "Accept as Solution" button to help future readers.

---
If this reply helps you, Karma would be appreciated.

Add zero value when using _time field

stats

Leveraging Detections from the Splunk Threat Research Team & Cisco Talos

New in Splunk Observability Cloud: Automated Archiving for Unused Metrics

Calling All Security Pros: Ready to Race Through Boston?

Are you a member of the Splunk Community?

Add zero value when using _time field

stats

Leveraging Detections from the Splunk Threat Research Team & Cisco Talos

New in Splunk Observability Cloud: Automated Archiving for Unused Metrics

Calling All Security Pros: Ready to Race Through Boston?