Splunk Search

Append values as 0 with time for search and subsearch

avaishsplunk
Path Finder
 In my search query, I have 2 searches

 1. This gives stats for today

 2. This gives stats for the period entered as parameters to the panel (which is a) Last week same day/time b) Last month same day time c) Yesterday same day/time

 The issue i am facing is if we have no events for 1 and 2, I need to show 0 as stats for both the mentioned criteria's along with dates

 e.g.

 Date Requests
 12/31/2016 0
 12/30/2016 0

 same as

 12/31/2016 --> 0
 12/24/2016 ---> 0

 I need the above so that i can put a single value field with trend charts

 [| gentimes start=-1 
 | eval earliest=if(lower(strftime(now(),"%A"))="monday", "-3d@d", "-1d@d") 
 | eval latest=if(lower(strftime(now(),"%A"))="monday","-3d@s", "-1d@s")
 | table earliest, latest | format "" "" "" "" "" ""] index=yy sourcetype=zz
 | search "xx"
 | spath output=OpName path=payload.gpmGenerateEventLogs.gpmGenerateEventLog{}.operationName
 | spath output=EvType path=payload.gpmGenerateEventLogs.gpmGenerateEventLog{}.eventTypeCode
 | spath output=state path=payload.gpmGenerateEventLogs.gpmGenerateEventLog{}.state
 | spath output=Line_Count path=payload.gpmGenerateEventLogs.gpmGenerateEventLog{}.recordCount
 | spath output=Org_Code path=payload.gpmGenerateEventLogs.gpmGenerateEventLog{}.attribute1
 | spath output=TimeZone path=payload.gpmGenerateEventLogs.gpmGenerateEventLog{}.attribute2
 | spath output=ccpath=payload.gpmGenerateEventLogs.gpmGenerateEventLog{}.attribute3
 | eval combined=mvzip(mvzip(mvzip(mvzip(mvzip(mvzip(OpName,EvType),state),Line_Count),Org_Code),TimeZone),cc)
 | mvexpand combined|eval combined=split(combined,",")
 | eval OpName=mvindex(combined,0)
 | eval EvType=mvindex(combined,1)
 | eval state=mvindex(combined,2)
 | eval Line_Count=mvindex(combined,3)
 | eval Org_Code =mvindex(combined,4)
 | eval TimeZone =mvindex(combined,5)
 | eval cc=mvindex(combined,6)
 | where OpName="abc"|append
 [search earliest=@d index=yy sourcetype=zz
 | search "xx"
 | spath output=OpName path=payload.gpmGenerateEventLogs.gpmGenerateEventLog{}.operationName
 | spath output=EvType path=payload.gpmGenerateEventLogs.gpmGenerateEventLog{}.eventTypeCode
 | spath output=state path=payload.gpmGenerateEventLogs.gpmGenerateEventLog{}.state
 | spath output=Line_Count path=payload.gpmGenerateEventLogs.gpmGenerateEventLog{}.recordCount
 | spath output=Org_Code path=payload.gpmGenerateEventLogs.gpmGenerateEventLog{}.attribute1
 | spath output=TimeZone path=payload.gpmGenerateEventLogs.gpmGenerateEventLog{}.attribute2
 | spath output=CDC_RDC path=payload.gpmGenerateEventLogs.gpmGenerateEventLog{}.attribute3
 | eval combined=mvzip(mvzip(mvzip(mvzip(mvzip(mvzip(OpName,EvType),state),Line_Count),Org_Code),TimeZone),CDC_RDC)
 | mvexpand combined
 | eval combined=split(combined,",")
 | eval OpName=mvindex(combined,0)
 | eval EvType=mvindex(combined,1)
 | eval state=mvindex(combined,2)
 | eval Line_Count=mvindex(combined,3)
 | eval Org_Code =mvindex(combined,4)
 | eval TimeZone =mvindex(combined,5)
 | eval cc=mvindex(combined,6)
 | where OpName="abc"]
 | bucket _time span=1d
 | stats sum(Line_Count) AS Requests by _time

Any help on this pls

Tags (1)
0 Karma

DalJeanis
Legend

Did you solve this issue to your satisfaction? You are pulling a lot of unneeded data just to produce a line plot of requests by _time, and that somewhat obscured the question.

0 Karma

javiergn
Super Champion

Have you tried the makecontinuous command?

Makes a field on the x-axis numerically continuous by adding empty buckets for periods where there is no data and quantifying the periods where there is data.

0 Karma

avaishsplunk
Path Finder

Sorry that will not help, as i need to show a single value with a trend comparison showing with Yesterday, Last Week, last Month

so basically user will select an option parameter say last week then my output should show todays value with a trend line having last week value of same time.

0 Karma
Get Updates on the Splunk Community!

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

Register Join this Tech Talk to learn how unique features like Service Centric Views, Tag Spotlight, and ...