Splunk Search

Custom date should show the timechart with 0 for the non matching event

abhayneilam
Contributor

Hi,

I have a data in which there is a content of the filename with the timestamp in epoch time as below :

File generated at : /home/AAA/file_one_573838339.txt
File generated at : /root/BBB/file_one_5722929299.txt

Now, the _time value for both the events are diff. I have converted the epoch time in human readable format and captured in a field called "customdate", now I want to know what is the count of file for each date.

I gave .. .index=aaaa earliest=-28d@d latest=@d| ... .| stats count by "customdate"

If I give this, I am getting the data for the last 28 days but some times I only see the data for 10 days not for all 28 days.

for the missing days, the data is now showing in the graph. it is only showing me the data for which data is present. Kindly help me to get this solved.

I should see the data as 0 for the missing days along with the data present in the custom date.

0 Karma

ssadanala1
Contributor

This is another work around

base search |extract epoch format
| convert ctime(epochfield) as pct |bin pct span=1d | stats count by pct

0 Karma

abhayneilam
Contributor

This is not showing the result as expected as it is not showing the date for which there is no count. I want to have 0 for the dates when you dont have any events !!

0 Karma

somesoni2
Revered Legend

This will not fix the continuation issue which he was already facing with his stats. Timechart will fill in the gaps in between.

0 Karma

ssadanala1
Contributor

Thanks for correcting me .

0 Karma

somesoni2
Revered Legend

I would suggest keeping it in epoch format, rename to _time and use timechart instead, like this

index=aaaa earliest=-28d@d latest=@d
| ....your logic to extract timestamp from file name in epoch format ..|
| eval _time=customdateinepoch
|timechart span=1d count
0 Karma

abhayneilam
Contributor

This is not working, because if I do like this, all the value is coming as 0

0 Karma

somesoni2
Revered Legend

Can you share your full query?

0 Karma

p_gurav
Champion

Can you tell me how your extracting _time as epoch? And also what search query you are using for epoch conversion?

0 Karma

abhayneilam
Contributor

573838339 and 5722929299 are the epoch time , which we are changing to the customdate field and then doing stats count on that

0 Karma
Get Updates on the Splunk Community!

BSides Splunk 2022 - The Call for Papers is now Open!

TLDR; Main Site: https://bsidessplunk.com CFP Site: https://bsidessplunk.com/cfp CFP Opens: December 15th, ...

Sending Metrics to Splunk Enterprise With the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

What's New in Splunk Cloud Platform 9.0.2208?!

Howdy!  We are happy to share the newest updates in Splunk Cloud Platform 9.0.2208! Analysts can benefit ...