Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How can I write a search that returns _time in 1-second intervals even when _time stamp doesn't match a value?

patilsh
Explorer
‎08-11-2017 05:13 PM

Hello Guys,

I have a column _time

Ex Values (Suppose the search has 4 events here):
2017-08-11 12:06:51
2017-08-11 12:06:54
2017-08-11 12:06:56
2017-08-11 12:06:58

Now my intention is I want _time to increment by one second, that even though there is not row with 2017-08-11 12:06:52, I want to add a row with all other columns to be 0,

So my new data should look like
2017-08-11 12:06:51
2017-08-11 12:06:52
2017-08-11 12:06:53
2017-08-11 12:06:54
2017-08-11 12:06:55
2017-08-11 12:06:56
2017-08-11 12:06:57
2017-08-11 12:06:58
So all the appended time which was not there should have the other column entries of search as 0. The new search should have 8 events now.

Can someone please help me with this, as I am not able to understand how to do it.

Regards
Shailendra Patil

0 Karma
Reply

cpetterborg
SplunkTrust
SplunkTrust
‎08-11-2017 09:59 PM

You don't explain exactly what your search is, but you can probably get most of what you need to use by reading the following answers entry:

https://answers.splunk.com/answers/103432/how-to-replace-all-null-values-between-two-dates-min-and-m...

And here is the fillnull documentation:

https://docs.splunk.com/Documentation/SplunkCloud/6.6.0/SearchReference/Fillnull

0 Karma
Reply

lfedak_splunk
Splunk Employee
Splunk Employee
‎08-11-2017 05:34 PM

Hey @patilsh, This might help? https://answers.splunk.com/answers/10147/how-to-show-events-per-second-in-timechart-regardless-of-sp... I'm just a community moderator, so I'll keep an eye on the post and try new tags if no experts see it this weekend.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...