Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Avg Day of Week does not show up, when no result found

Silmarillion197
Explorer
‎05-17-2019 01:30 AM

Hello,

I`m trying to find a solution for this problem. The result of the following SPL query should show every day of the week in a diagram. So the diagram should show Mon ... Tue ... Thu ... Wed ... Fri ... Sat ... Sun (x-axis) always, even if there is no data at all (seems that if no avg or no sum can be aggregated then the specific day of the week will not show up).
=> I have tried to fillnull, value=0 or coalesce ifnull but this is not working for me, as the day of week with no result is never shown.

_time is overwritten because events loaded into splunk are deferred sometimes, so I use the real START_TIME of Event as base for calculations. This is working so far, except if a "day of week" has no data:

index="rw_trail_complete"
      | eval StartEpoch=strptime(START_TIME, "%Y-%m-%d %H:%M:%S.%Q")
      | eval _time=StartEpoch
      | eval EndEpoch=strptime(END_TIME, "%Y-%m-%d %H:%M:%S.%Q") 
      | eval DayOfWeekName=strftime(_time, "%a")
      | eval DayOfWeekNumber=strftime(_time, "%u")
      | eval Dur = EndEpoch - StartEpoch
      | bucket _time span=1d
      | search SCRIPT_NAME=$scriptName$
      | eventstats count AS "Num Events per day" by DayOfWeekNumber
      | table DayOfWeekName, DayOfWeekNumber, "Num Events per day", Dur
      | stats avg(Dur) AS "Avg Dur per Day of Week" by DayOfWeekNumber, DayOfWeekName, "Num Events per day"
      | table DayOfWeekName, "Avg Dur per Day of Week", "Num Events per day"
Tags (3)
0 Karma
Reply

nabeel652
Builder
‎05-19-2019 06:53 PM

Create a lookup table with fields DayNumber, DayofWeekName
Like this:

DayNumber              DayOfWeek
0                          Sunday
1                          Monday
...
6                           Saturday

and 

| inpulookup daysofweek | join DayOfWeekName [| search <your search>]
0 Karma
Reply

Silmarillion197
Explorer
‎05-22-2019 03:05 AM

This seems to be correct. But I have to figure out, on how to create a lookup table. At this time my created lookup table can`t be found in splunk search. It seems that a lookup has to be defined in the transformation.conf so that splunk can find ist (this file I can only change together with the splunk administrator). Thy so far.

0 Karma
Reply

nabeel652
Builder
‎05-23-2019 04:33 PM

Just create a .csv file and upload as a lookup through
Settings >> Lookups >> Lookup table Files

and then reference it with a .csv suffix

|inputloookup daysofweek.csv | join DayOfWeekName [| search ]

0 Karma
Reply

nabeel652
Builder
‎05-23-2019 04:34 PM

Please mark the answer as accepted if it works. Thanks

0 Karma
Reply

Silmarillion197
Explorer
‎05-22-2019 03:01 AM

Sorry, this doesnt work for me, as day of the week in my table is a row and not a column. Day of week is nevertheless shown in the chart as x-axis. If there is no event for a certain day of the week, you cant make splunk to invent one (only with makeresults which is not a suitable solution).

0 Karma
Reply

Sukisen1981
Champion
‎05-18-2019 08:10 AM

something like this,
here i have ticket priorities - pri1-pri4 and those volumes are not always there in the given time range, so I had to use something like this

|fields Pri1,Pri2,Pri3,Pri4|fillnull value=0 Pri1,Pri2,Pri3,Pri4

In your case you need to use something like - |fields Sun,Mon,Tue,Wed,Thu,Fri,Sat|fillnull value=0 Sun,Mon,Tue,Wed,Thu,Fri,Sat

0 Karma
Reply
Get Updates on the Splunk Community!

The All New Performance Insights for Splunk

Splunk gives you amazing tools to analyze system data and make business-critical decisions, react to issues, ...

Good Sourcetype Naming

When it comes to getting data in, one of the earliest decisions made is what to use as a sourcetype. Often, ...

See your relevant APM services, dashboards, and alerts in one place with the updated ...

As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...