Solved: Re: How do I fill nulls in time series data withou...

jedatt01 · ‎02-12-2016

I have time series data that I want to bucket into 15 minute chunks with corresponding counts like so....

mysearch | bucket span=15m _time | stats count by groups _time

What I need next is for every value of groups that is null for a particular time bucket to be replaced with a 0

Basically I need the functionality of a timechart but I need to keep the groups field intact instead of each value of groups being split out into it's own field

This is what I would like my output table to look like:

_time | groups | count
10:00 am | group1 | 75
10:00 am | group2 | 0
10:00 am | group3 | 16
10:15 am | group1 | 14
10:15 am | group2 | 15
10:15 am | group3 | 0
10:30 am | group1 | 0
10:30 am | group2 | 105
10:30 am | group3 | 24
10:45 am | group1 | 1
10:45 am | group2 | 0
10:45 am | group3 | 75

somesoni2 · ‎02-12-2016

Try something like this

your base search | timechart span=15m count by groups limit=100 | untable _time groups count

View solution in original post

somesoni2 · ‎02-12-2016

Try something like this

your base search | timechart span=15m count by groups limit=100 | untable _time groups count

jedatt01 · ‎02-12-2016

wow, hod no idea it was so easy! thanks

How do I fill nulls in time series data without using timechart?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!