Solved: Chart including no results

jacqu3sy · ‎01-20-2021

I'm trying to create a chart showing activity from May through until now, knowing that the activity ceased some months ago. I want the chart to continue showing a flat line of zero from the time the activity stopped, rather than just stopping back in August.

How would I tweak the following query to include the ceased traffic?

earliest=05/01/2020:00:00:01 latest=now
index=nix sourcetype="nix" src_user=JohnD host=server1
| bin _time span=1w
| stats count by _time, host

Thanks.

ITWhisperer · ‎01-20-2021

The timechart command will generate the empty results for you

earliest=05/01/2020:00:00:01 latest=now
index=nix sourcetype="nix" src_user=JohnD host=server1 
| timechart span=1w count by host

View solution in original post

ITWhisperer · ‎01-20-2021

The timechart command will generate the empty results for you

earliest=05/01/2020:00:00:01 latest=now
index=nix sourcetype="nix" src_user=JohnD host=server1 
| timechart span=1w count by host

jacqu3sy · ‎01-20-2021

Simple as that! great, thanks.

Chart including no results

chart

stats

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability

Network to App: Observability Unlocked [May & June Series]

Join the Conversation