I have a data in which there is a content of the filename with the timestamp in epoch time as below :
File generated at : /home/AAA/file_one_573838339.txt
File generated at : /root/BBB/file_one_5722929299.txt
Now, the _time value for both the events are diff. I have converted the epoch time in human readable format and captured in a field called "customdate", now I want to know what is the count of file for each date.
I gave .. .index=aaaa earliest=-28d@d latest=@d| ... .| stats count by "customdate"
If I give this, I am getting the data for the last 28 days but some times I only see the data for 10 days not for all 28 days.
for the missing days, the data is now showing in the graph. it is only showing me the data for which data is present. Kindly help me to get this solved.
I should see the data as 0 for the missing days along with the data present in the custom date.
I would suggest keeping it in epoch format, rename to _time and use timechart instead, like this
index=aaaa earliest=-28d@d latest=@d | ....your logic to extract timestamp from file name in epoch format ..| | eval _time=customdateinepoch |timechart span=1d count