Splunk Search

Custom date should show the timechart with 0 for the non matching event

Contributor

Hi,

I have a data in which there is a content of the filename with the timestamp in epoch time as below :

File generated at : /home/AAA/file_one_573838339.txt
File generated at : /root/BBB/file_one_5722929299.txt

Now, the _time value for both the events are diff. I have converted the epoch time in human readable format and captured in a field called "customdate", now I want to know what is the count of file for each date.

I gave .. .index=aaaa earliest=-28d@d latest=@d| ... .| stats count by "customdate"

If I give this, I am getting the data for the last 28 days but some times I only see the data for 10 days not for all 28 days.

for the missing days, the data is now showing in the graph. it is only showing me the data for which data is present. Kindly help me to get this solved.

I should see the data as 0 for the missing days along with the data present in the custom date.

0 Karma

Contributor

This is another work around

base search |extract epoch format
| convert ctime(epochfield) as pct |bin pct span=1d | stats count by pct

0 Karma

Contributor

This is not showing the result as expected as it is not showing the date for which there is no count. I want to have 0 for the dates when you dont have any events !!

0 Karma

Revered Legend

This will not fix the continuation issue which he was already facing with his stats. Timechart will fill in the gaps in between.

0 Karma

Contributor

Thanks for correcting me .

0 Karma

Revered Legend

I would suggest keeping it in epoch format, rename to _time and use timechart instead, like this

index=aaaa earliest=-28d@d latest=@d
| ....your logic to extract timestamp from file name in epoch format ..|
| eval _time=customdateinepoch
|timechart span=1d count
0 Karma

Contributor

This is not working, because if I do like this, all the value is coming as 0

0 Karma

Revered Legend

Can you share your full query?

0 Karma

Champion

Can you tell me how your extracting _time as epoch? And also what search query you are using for epoch conversion?

0 Karma

Contributor

573838339 and 5722929299 are the epoch time , which we are changing to the customdate field and then doing stats count on that

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!