Solved: Chart including no results

jacqu3sy · ‎01-20-2021

I'm trying to create a chart showing activity from May through until now, knowing that the activity ceased some months ago. I want the chart to continue showing a flat line of zero from the time the activity stopped, rather than just stopping back in August.

How would I tweak the following query to include the ceased traffic?

earliest=05/01/2020:00:00:01 latest=now
index=nix sourcetype="nix" src_user=JohnD host=server1
| bin _time span=1w
| stats count by _time, host

Thanks.

ITWhisperer · ‎01-20-2021

The timechart command will generate the empty results for you

earliest=05/01/2020:00:00:01 latest=now
index=nix sourcetype="nix" src_user=JohnD host=server1 
| timechart span=1w count by host

View solution in original post

ITWhisperer · ‎01-20-2021

The timechart command will generate the empty results for you

earliest=05/01/2020:00:00:01 latest=now
index=nix sourcetype="nix" src_user=JohnD host=server1 
| timechart span=1w count by host

jacqu3sy · ‎01-20-2021

Simple as that! great, thanks.

Chart including no results

chart

stats

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!