Splunk Search

Force Span to have values

Path Finder

Hello!

I'm trying to make a timechart with this:

sourcetype=processedsiebel NOT error*| eval X =replace(SWEMethod, "^(\w+)_@.+$", "\1" ) | timechart usenull=F limit=0 span=1s count by SWEMethod | table SWEMethod

The problem is there are seconds with no activity in any of the SWEMethod elements. So I'm trying to obtain 86400 entries ( a full day) but only 39000 appear. How do I put a 0 on every timeline (second) that has no activity?

Thank you

Tags (2)
0 Karma
1 Solution

Splunk Employee
Splunk Employee

The way I did this is was with just the timechart.

For example, using my irssi IRC logs to reproduce the condition of some empty seconds and multiple values in the field (ircnick in this case) in the results:

| timechart span=1s usenull=f limit=0 count by ircnick

*note: I used a single minute for testing and the result count is 60.

The result looks like (with right side truncated for display purposes):

alt text

View solution in original post

Splunk Employee
Splunk Employee

The way I did this is was with just the timechart.

For example, using my irssi IRC logs to reproduce the condition of some empty seconds and multiple values in the field (ircnick in this case) in the results:

| timechart span=1s usenull=f limit=0 count by ircnick

*note: I used a single minute for testing and the result count is 60.

The result looks like (with right side truncated for display purposes):

alt text

View solution in original post

Path Finder

You're right, that should be totally enough. I definitely have another problem related with the data. The fact I noticed is that I have seconds with count=0 and are shown as well as the others. I'll have to investigate what happened with the data. Thank you very much

Path Finder

Ok, I'll try to clarify it: I just want the table of results. So what I expect to get is the number of SWEMethod events in each second, even if there hasn't been any Method of any type. SO I want a 86400 x #SWEMethod matrix.

0 Karma

Splunk Employee
Splunk Employee

I used this same timechart using a dataset I knew would hav enull results for certain seconds, and I still have an entry for every second in the timechart. I tried doing the |table fieldname... but I got 0 results doing that. Are you looking for the timechart output, or just the list of results? The table at the end would just get you the list of results, right? if you need 86400 entries in the table, you might have to do funny stuff with eval to change the value of the count if it is 0.

I'm not entirely clear what the end result you are looking for should be. Could you clarify?

0 Karma