How can I write a search that returns _time in 1-s...

patilsh · ‎08-11-2017

Hello Guys,

I have a column _time

Ex Values (Suppose the search has 4 events here):
2017-08-11 12:06:51
2017-08-11 12:06:54
2017-08-11 12:06:56
2017-08-11 12:06:58

Now my intention is I want _time to increment by one second, that even though there is not row with 2017-08-11 12:06:52, I want to add a row with all other columns to be 0,

So my new data should look like
2017-08-11 12:06:51
2017-08-11 12:06:52
2017-08-11 12:06:53
2017-08-11 12:06:54
2017-08-11 12:06:55
2017-08-11 12:06:56
2017-08-11 12:06:57
2017-08-11 12:06:58
So all the appended time which was not there should have the other column entries of search as 0. The new search should have 8 events now.

Can someone please help me with this, as I am not able to understand how to do it.

Regards
Shailendra Patil

cpetterborg · ‎08-11-2017

You don't explain exactly what your search is, but you can probably get most of what you need to use by reading the following answers entry:

https://answers.splunk.com/answers/103432/how-to-replace-all-null-values-between-two-dates-min-and-m...

And here is the fillnull documentation:

https://docs.splunk.com/Documentation/SplunkCloud/6.6.0/SearchReference/Fillnull

lfedak_splunk · ‎08-11-2017

Hey @patilsh, This might help? https://answers.splunk.com/answers/10147/how-to-show-events-per-second-in-timechart-regardless-of-sp... I'm just a community moderator, so I'll keep an eye on the post and try new tags if no experts see it this weekend.

How can I write a search that returns _time in 1-second intervals even when _time stamp doesn't match a value?

Splunk Cloud | Empowering Splunk Administrators with Admin Config Service (ACS)

Tech Talk | One Log to Rule Them All

Splunk Security Content for Threat Detection & Response, Q1 Roundup