Splunk Search

Force Span to have values

TiagoMatos
Path Finder

Hello!

I'm trying to make a timechart with this:

sourcetype=processedsiebel NOT error*| eval X =replace(SWEMethod, "^(\w+)_@.+$", "\1" ) | timechart usenull=F limit=0 span=1s count by SWEMethod | table SWEMethod

The problem is there are seconds with no activity in any of the SWEMethod elements. So I'm trying to obtain 86400 entries ( a full day) but only 39000 appear. How do I put a 0 on every timeline (second) that has no activity?

Thank you

Tags (2)
0 Karma
1 Solution

jtrucks
Splunk Employee
Splunk Employee

The way I did this is was with just the timechart.

For example, using my irssi IRC logs to reproduce the condition of some empty seconds and multiple values in the field (ircnick in this case) in the results:

| timechart span=1s usenull=f limit=0 count by ircnick

*note: I used a single minute for testing and the result count is 60.

The result looks like (with right side truncated for display purposes):

alt text

--
Jesse Trucks
Minister of Magic

View solution in original post

jtrucks
Splunk Employee
Splunk Employee

The way I did this is was with just the timechart.

For example, using my irssi IRC logs to reproduce the condition of some empty seconds and multiple values in the field (ircnick in this case) in the results:

| timechart span=1s usenull=f limit=0 count by ircnick

*note: I used a single minute for testing and the result count is 60.

The result looks like (with right side truncated for display purposes):

alt text

--
Jesse Trucks
Minister of Magic

TiagoMatos
Path Finder

You're right, that should be totally enough. I definitely have another problem related with the data. The fact I noticed is that I have seconds with count=0 and are shown as well as the others. I'll have to investigate what happened with the data. Thank you very much

TiagoMatos
Path Finder

Ok, I'll try to clarify it: I just want the table of results. So what I expect to get is the number of SWEMethod events in each second, even if there hasn't been any Method of any type. SO I want a 86400 x #SWEMethod matrix.

0 Karma

jtrucks
Splunk Employee
Splunk Employee

I used this same timechart using a dataset I knew would hav enull results for certain seconds, and I still have an entry for every second in the timechart. I tried doing the |table fieldname... but I got 0 results doing that. Are you looking for the timechart output, or just the list of results? The table at the end would just get you the list of results, right? if you need 86400 entries in the table, you might have to do funny stuff with eval to change the value of the count if it is 0.

I'm not entirely clear what the end result you are looking for should be. Could you clarify?

--
Jesse Trucks
Minister of Magic
0 Karma
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...