Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Back fill of data in timerange

smanojkumar
Contributor
‎03-03-2025 02:16 AM

Hello Splunkers,

I'm having a logs which will be generated only where there is change in system,

6:01:01 - System Stop
10:54:01 - System Start
13:09:04 - System Stop
16:01:01 - System Start
17:01:01 - System Stop

These are the logs.

Lets say If I'm searchit it in a chart, for the timerange from 7Am - 4Pm

the chart from 8Am until 10:54:01 Am is empty since the previous event was generated at 6:01:01, so there is a gap.

I would like to fix this. In some cases only 2 values is been repeated, so we can take the one in present, the past can be its opposite.

Eg -  At 10:54:01 - System Start, We have received this log, where the system is start, the previous one will be stop. 

These are fixed for some cased, I need two best solutions, only for this scenario, other for multiple values, like these

14:01:01 - System Started
17:54:01 - System reset
22:09:04 - System Stop
23:01:01 - System Started
01:01:01 - System Stop

wheres here I'm getting three values like Started, Stop and reset.


Thanks in Advance!

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎03-03-2025 02:28 AM

Please clarify what you want Splunk to assume in the second case, for example, if the search was from 21:00, would you want Splunk to assume the previous state was "System reset" or "System Start"?

Do you want to search for a longer period of time to try and find the previous state, and then remove these results from the chart?

0 Karma
Reply

smanojkumar
Contributor
‎03-03-2025 03:21 AM

Hello @ITWhisperer ,

Thanks for your reply.

17:54:01 - System reset
22:09:04 - System Stop
23:01:01 - System Started
01:01:01 - System Stop

In case of from 21:00, I need to take as System reset and followed by other values.

Actually I just need to fill the value, even the logs weren't there in teh selcted timerange.

Thanks!

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎03-03-2025 03:26 AM

How does Splunk know what the previous state was unless it is included in the search?

For example, if the first state is "System Stop" and the system was reset 3 days, or 3 weeks, or 3 months ago, what do you want Splunk to report?

0 Karma
Reply

smanojkumar
Contributor
‎03-03-2025 03:49 AM

Hello @ITWhisperer ,

Thanks for asking!

You are right.., It will be like, the next event will be received within 3 days, it wont take more time at wrost cases.

I'm using those values in the chart, when we are searching with less time range, I can't see the logs of the timerange in that time range because of the gap in logs, 

I have listed two scenarious, As per the scenario1, The perevious value is just a opposite value of the next one. 

Scenario 2 is bit hard, having multiple values, which can be generated before 3 days at wrost cases.


Thansk!


0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎03-03-2025 04:17 AM

For the first case, try something like this

| append
    [| makeresults
    | addinfo
    | rename info_min_time as _time
    | fields _time
    | eval state="System unknown"]
| sort 0 - _time
| streamstats last(state) as previousState window=1 current=f
| eval state=if(state!="System unknown",state,if(previousState=="System Stop", "System Start", "System Stop"))
0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎03-03-2025 02:23 AM

Hi @smanojkumar 

I may have misunderstood, but If you want the search to include the event at 6AM then you will need to change the earliest time within the search to cover this event. 

Feel free to share a screenshot example of what you are seeing to help explain the difference to your expectation/intention.

Please let me know how you get on and consider adding karma to this or any other answer if it has helped.
Regards

Will

0 Karma
Reply
Get Updates on the Splunk Community!

Fall Into Learning with New Splunk Education Courses

Every month, Splunk Education releases new courses to help you branch out, strengthen your data science roots, ...

Super Optimize your Splunk Stats Searches: Unlocking the Power of tstats, TERM, and ...

By Martin Hettervik, Senior Consultant and Team Leader at Accelerate at Iver, Splunk MVPThe stats command is ...

How Splunk Observability Cloud Prevented a Major Payment Crisis in Minutes

Your bank's payment processing system is humming along during a busy afternoon, handling millions in hourly ...